Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

IceXLoader Rapidly Evolves

Minerva Labs is reporting yet another new version of the ICeXLoader loader, which was first discovered last June by FortiGuard. That initial version (v3.0)seemed incomplete, but Minerva recently observed a much more polished version 3.3 which is fully functional and provides a multi-stage malware delivery chain to its criminal customers.

IceXLoader is delivered in the form of a ZIP file which carries a first-state executable as well as its configuration in the resources, When run, this creates a new folder and then drops the next stage, a .NET downloader called STOREM~2.EXE, into it. At this stage, the machine will reboot, execute the next stage and cleans up the folder it just used.

This stage downloads a .PNG file,converts it into a dynamic link library and then executes it in a new thread. This DLL then decrypts the IceXLoader itself, checks that it is not running inside the Microsoft Defender sandbox, delays briefly - again to evade sandbox detection - and finally injects the loader into a new process.

Once the loader is running, it enumerates some system information and uploads it to the C2 server, makes multiple copies of itself and creates registry entries to ensure it persists. Minerva's report provides further details, including IOC's.

Zargarov, Natalie, New updated IceXLoader claims thousands of victims around the world, blog post, 8 November 2022. Available online at https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world/.

Cozy Bears Roaming Through Diplomatic Network

A new report from Mandiant describes how Russian state threat actor APT29, a.k.a. Cozy Bear, was able to compromise a European diplomatic organization, gaining initial access through a spear-phishing attack and then possibly pivoting within the organization by exploiting a little-known feature of Active Directory.

While observing the threat actors' behaviour on the victim network, Mandiant observed numerous very strange LDAP queries on the Active Directory domain. LDAP queries are often used for credential gathering, but these were querying an unusual property: {b7ff5a38-0818-42b0-8110-d3d154c97f24}, or the ms-PKI-Credential-Roaming-Tokens attribute. Credential Roaming was introduced in Windows Server 2003 SP1, in order to allow certificates and other credentials to 'roam' with the user. Without this, users would not be able to use features such as S/MIME email encryption, since logging in to multiple devices would generate multiple certificates.

By reverse-engineering the binary structure of the attribute and how it is stored when received, Mandiant was able to identify a directory traversal vulnerability, exposed by a failure to properly sanitize the file path. If an attacker can control the ms-PKI-Credential-Roaming-Tokens attribute, they can add a malicious Roaming Token entry and thereby write an arbitrary number of bytes to any file on the system, restricted only by the length of the pathname.

The vulnerability was reported to Microsoft and a patch released in September.

De Berlaere, Thibault Van Geluwe, They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming, blog post, 8 November 2022. Available online at https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming.

New Vulnerability Categorization Methodology

Readers will be familiar with the CVSS scheme for scoring the severity of vulnerabilities. However, a vulnerability management program needs to combine the CVSS (Common Vulnerability Scoring System) score - and elements of its string - with enterprise-specific information, such as the existence of mitigating controls, the value of impacted assets, the cost of possible disruption caused by the deployment of untested patches and other factors in order to prioritize the application of patches to systems or other defensive actions that could be taken.

The US Cybersecurity & Infrastructure Security Agency has released its approach to this problem, in the form of its Stakeholder-Specific Vulnerability Categorization (SSVC) methodology, which was developed in conjunction with the Software Engineering Institute at Carnegie-Mellon. This methodology is intended for use by all levels of government as well as critical infrastructure entities.

The metodology takes into account factors such as evidence of active exploitation, technical impact (already covered by CVSS), whether the exploit is automatable, vulnerability impact on mission-essential functions, mitigation status and the impact on public well-being. As these factors are assessed, they are used to select the appropriate branches of a decision tree, which will terminate in one of four vulnerability scores:

• Track - no action required at this time, but reassess as new information becomes available
• Track* - the vulnerability has characteristics that require closer monitoring for changes
• Attend - requires action from internal supervisory-level individuals, such as requesting assistance, publishing a notification or remediation sooner than the standard update timelines
• Act - requires action from supervisory-level and leadership-level individuals, including determination of remediation actions as soon as possible

CISA has developed an online SSVC calaculator, called Dryad, which will walk a user through the decision tree and can display it - useful for documenting decisions. A stored decision can also be updated later.

This methodology is not universally applicable, and does not provide particularly granular guidance in patch prioritization. However, it is an interesting approach which could be adapted by enterprises to suit their particular environment and circumstances.

Uncredited, Stakeholder-Specific Vulnerability Categorization, web page, November 2022. Available online at https://www.cisa.gov/ssvc.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Medibank Breach, Cont. . .

The Medibank saga continues to drag on; yesterday's posting of around 2.5 GB of data has been followed by more overnight. Yesterday's 'nice' list turned out to contain people who had received treatment for the usual conditions of old age, with the oldest being 105, while the 'naughty' list contained information about approximately 100 individuals who had undergone treatment for drug or alcohol abuse, or for mental health conditions. There has been at least one confirmation from an affected individual that the data is real.

The second upload seems to indicate that the cybercriminals involved are not interested in collecting individual ransoms, but are simply going to create as much damage as they can. We shall have much more to say on this and similar breaches. . .

Amadey Bot Distributes LockBit 3.0

The Amadey Bot infostealer and backdoor has been circulating since at least 2018, typically installing either GandCrab ransomware or the FlawedAmmyy remote access trojan. Now AhnLab Security Emergency Response Center reports that attackers are using it to install LockBit 3.0.

The Amadey Bot malware itself is being distributed in two ways: first via an infected Word file which downloads another file containing a malicious VBA macro, and second via a binary executable that carries the Word program icon.

For the first technique, if the user is duped into enabling content in Word, the VBA macros installs a malicious shortcut and then runs it, causing a PowerShell command to download and run Amadey Bot itself. The executable for the second technique masquerades as a file called Resume.exe (the default Windows behaviour of suppressing filetype extensions is a big problem here), which carries Amadey directly.

Once running, Amadey Bot connects to a C2 server, sends some system information and then waits for commands, which will usually download Lockbit as either a PowerShell script or as a binary. ASEC's analysis provides a description and IOC's.

Uncredited, LockBot 3.0 Being Distributed via Amadey Bot, blog post, 8 November 2022. Available online at https://asec.ahnlab.com/en/41450/.

New Branch of APT41 Targets Asia, Ukraine

Researchers at Trend Micro are reporting on a new subgroup of the Chinese state-supported APT41 (Double Dragon), which they have christened Earth Longzhi, and which is targeting government, defense, aviation, insurance and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan and Ukraine. APT41 divides its efforts between state-sponsored cyberespionage and financial crime for profit.

Earth Longzhi was initially identified in early 2022, but analysis of TTP's and code similarities suggest the group has been active since 2020. Their attacks start with a spear-phishing campaign, promising scandalous information about a person, to deliver their malware, either via a link or via a password-protected archive file. The first stage is a custom Cobalt Strike loader. Several generations of loaders have appeared; the first one was called Symatic Loader, and used a variety of antiforensics techniques.

The later campaign saw Earth Longzhi deploy several different customer loaders, which Trend Micro has christened CroxLoader, BigpipeLoader and OutLoader, and some of these have multiple variants, suggesting the group is actively developing their tools. Post-exploitation, they also use customized tools based on some open-source projects, such as a set of standalone binaries based on Mimikatz modules.

Hiroaki, Hara and Ted Lee, Hack the Real Box: APT41's New Subgroup Earth Longzhi, blog post, 9 November 2022. Available online at https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Exfiltrated Medibank Data Posted Online

As we expected, shortly after midnight the BlogXX ransomware group began posting what appears to be client data from the Medibank attack, in two lists titled "good-list" and "naughty-list" on their blog.

"Looking back that data is stored not very understandable format [table dumps] we’ll take some time to sort it out," the group said. "We’ll continue posting data partially, need some time to do it pretty."

The group also posted what seem to be screenshots of messages they had exchanged with Medibank representatives.

I expect the next shoe to drop will be extortion demands on individual Medicare customers, although it's possible the attackers might settle for just enjoying the drama they have created.

AAP, Group claiming to be Medibank hackers start posting client data on dark web, The Guardian, 8 November 2022. Available online at https://www.theguardian.com/australia-news/2022/nov/09/group-claiming-to-be-medibank-hackers-start-posting-client-data-on-dark-web.

Security Professionals As Bad As Everyone Else

At the RSA Conference each year, NetWitness and Cisco run a Security Operations Center (SOC) as an educational exhibit, with NetWitness monitoring the traffic on the wireless network and Cisco providing automated malware analysis, threat intelligence, DNS visibility and intrusion detection. The goal is to educate conference attendees about what happens on a typical wireless network, running daily SOC tours and a conference session.

Cisco has now published a report on their findings, and it does not make happy reading, with the SOC capturing 55,525 cleartext passwords from 2,210 individual accounts. While many of these would possibly be demo accounts used by systems on the trade show floor, and a lot of credentials were leaked by devices running SNMP versions 1 and 2, there was an alarming number of unencrypted authentication exchanges with mail gateways, primarily on the domains of small and medium enterprises. It seems the best thing many small business could do to secure their email is to outsource its operation to a service like Google Workspace or Microsoft Outlook - they can do a much better job.

Perhaps the most egregious failure was by the CISO of a public corporation who paid the annual maintenance fee of his CISSP certification and received the receipt over a completely unencrypted session to his open-source Android email client. The SOC personnel had to alert the CISO to the problem and walk him through TLS configuration for his email client. Tsk, tsk.

Bair, Jessica, RSA Conference® 2022 Security Operations Center Findings Report, blog post, 3 November 2022. Available online at https://blogs.cisco.com/security/rsa-conference-2022-security-operations-center-findings-report.

Microsoft Surveys Threat Landscape

With its Digital Defense Report 2022, Microsoft has provided an excellent CISO-level overview of the threat landscape, broken into five sections:

• The State of Cybercrime
• Nation State Threats
• Devices and Infrastructure
• Cyber Influence Operations
• Cyber Resilience

Key takeaways:

• Cybercrime is increasing as the availability of hacking tools and services lowers the skill barrier to entry, with ransomware and extortion growing more audacious
• Nation state actors are increasingly targeting critical infrastructure, either as a component of hybrid warfare or, as China is doing in SE Asia, to gain intelligence and competitive advantage
• Both cybercriminals and nation states are moving to take advantage of vulnerabilities in IoT and OT devices, with a five-fold increase in attacks on remote management devices over the previous year
• Russia, Iran and China employed sophisticated influence operations to distribute propaganda and impact public opinion to extend their global influence
• The move to hybrid work has required a pivot in security practices, but the vast majority of successful cyberattacks could be prevented by using basic security hygiene

There are lots of other useful snippets and more than a few lessons in the report.

Uncredited, Microsoft Digital Defense Report 2022, technical report, November 2022. Available online at https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Medibank Won't Pay; BlogXX Counters

Shortly before the ASX opened on Monday, health and general insurer Medibank, subject of one of Australia's largest ransomware attacks, announced that it would not pay a ransom to the attacker responsible. Citing advice received from experts, the company stated,

Whether that will turn out to be the case remains to be seen; in the similar Vastaamo case in Finland, the ransomware operator turned to extorting individual patients only after the company refused to pay. In any case, there is general agreement that paying ransomware operators only funds an expansion of their activity, while refusal to pay would destroy their business model.

In any case, this is not good news for any of the 9.7 million affected customers, for whom the ordeal now drags on - but perhaps not for much longer. A successor to REvil/Sodinokibi called BlogXX is apparently claiming credit for the breach and is now threatening to release the data, according to MalwareHunterTeam.

MalwareHunterTeam, "The BlogXX ransomware gang just listed Medibank . . .", tweet, 7 November 2022. Available online at https://twitter.com/malwrhunterteam/status/1589596026926923776.

Uncredited, Cyber event updates and support, information page, 7 November 2022. Available online at https://www.medibank.com.au/health-insurance/info/cyber-security/.

Useful Guide to Creating Incident Response Playbooks

Those who have been through the stress of responding to a cybersecurity incident know that planning and preparation is key; an effective response cannot tolerate the delays of figuring things out from first principles in the heat of the moment. While many incident response teams start off with a small set of canned playbooks, such as those available from the Incident Response Consortium at https://www.incidentresponse.org/playbooks/, these inevitably lag behind the latest developments in the threat landscape and, perhaps more importantly, do not reflect the network environment, assets and resources of a specific organization.

A new guide from Trend Micro provides a catalogue of example playbooks and templates to suit specific industries and different phases of the incident response cycle. The accompanying article also provides some tips on the selection of an incident response service provider.

LaFleur, Chris, Incident Response Services & Playbooks Guide, blog post, 7 November 2022. Available online at https://www.trendmicro.com/en_us/ciso/22/i/incident-response-services.html.

Robin Banks Steals Cookies

MSSP IronNet first reported on the Robin Banks Phishing-as-a-Service (PhaaS) platform back in July 2022. At that time, the new group was selling phishing kits to other groups who would use them to run social engineering scams, primarily targeting the financial services sector in the US, UK, Canada and Australia. For somewhere between $US50 and $US300 per month, a customer got access to a customisable phishing front end which could detect bots and divert them to a CAPTCHA landing page, plus a user-friendly management interface where they could access captured credentials or have them sent immediately to their personal Telegram channel.

Following that initial report, Cloudflare terminated their services to Robin Banks, distupring their operations. But now the actor has retooled, shifting their infrastructure to DDOS-GUARD, a well-known Russuan provider which hosts a number of phishing sites and criminal content, as well as hosting content for Qanon and 8chan. They have also upped security, requiring their customers to use two-factor authentication in order to access captured credentials, and creating their own private Telegram channel.

The group has also broadened its targets slightly, making use of the evilginx2 Adversary-in-The-Middle reverse proxy engine to steal login session cookies, thereby bypassing 2FA. The initial release of this feature has front-ends for Google, Yahoo and Outlook. and costs customers $US1,500 per month. IronNet's analysts show that Robin Banks' systems are mostly adapted from existing open-source code.

IronNet Threat Research, Robin Banks still might be robbing your bank (part 2), blog post, 3 November 2022. Available online at https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2.

Flight Services Company Jeppesen Restores Services

On 2 November, aviation services company Jeppesen experienced a cyber incident which caused an outage affecting some of its services. Jeppesen and its sister company Foreflight, which are both owned by Boeing, provides instrument approach plates, en-route charts and other documentation which are used by airlines and general aviation worldwide for flight planning and in-flight navigation. One particularly important service which was affected was their NOTAM (Notices to Airmen) service, which distributes notifications of airspace restrictions, runway closures and other essential information; however, following a comprehensive scan and forensic investigation this service has now been fully restored, with other services to follow.

In days of old, Jeppesen shipped huge leather binders full of bible-thin chart pages which pilots lugged around in their flight bags, and which needed to be updated and re-collated on a fortnightly basis, a tedious and time-consuming process. Since the advent of tablets, these have been replaced by a continuously-updated app on an iPad; however, one can't help wondering if some pilots long for the bad old days now that the service has been shown to be vulnerable, like everything else in the cyber-world.

Uncredited, Statement re cyber incident, home page update, 5 November 2022. Available online at https://ww2.jeppesen.com/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Ransomware Strike on Vic Govt Service Provider

A ransomware group has breached tech services company PNORS Technology Group, which counts a number of Victorian government departments among its over 1,000 clients. Two of its businesses, Datatime and Netway, were victims of an attack on 3 November. "The impacted PNORS Technology Group businesses deal with document and data capture, digital conversion and managed IT support for a number of external clients, including government departments", said CEO Paul Gallo.

"Initial investigations by cyber security experts indicated this incident was limited to systems being encrypted and locked. However, overnight the criminals behind the cyber attack released to the company, in a private communication, a sample of what is believed to be stolen data".

Investigations by PNORS, the Victorian Department of Premier and Cabinet and their hired consultants are continuing, with further notifications expected as the extent of the breach is uncovered. A hint from Captain Obvious: the file encryption phase of a ransomware attack is impossible to miss; the exfiltration phase is easy to miss, especially since it often happens well before the encryption.

Murray-Atfield, Yara, Technology group providing services to Victorian government departments hit by cyber attack, ABC News, 5 November 2022. Available online at https://www.abc.net.au/news/2022-11-05/pnors-technology-group-data-security-incident/101620900.

UK Government Scans UK-hosted Systems

The UK's National Cyber Security Centre has instituted a program of scanning all internet-accessible systems that are hosted within the UK for common or high-impact vulnerabilities. The scan, which is regularly performed "using standard and freely available network tools", is fairly non-intrusive, looking at returned version numbers and the contents of HTTP response headers and payloads, and not delivering exploit code. The intention is to build an overview over time of the country's vulnerability exposure.

All scans are performed from just two cloud-hosted IP addresses:

• 18.171.7.246
• 35.177.10.231

which have both A and PTR records for scanner.scanning.service.ncsc.gov.uk. HTTP request headers will also contain the line

X-NCSC-Scan: NCSC Scanning agent - https://www.ncsc.gov.uk/scanning-information

System owners can opt out of being scanned, although I can't see much reason to do so. Typical home networks, behind NATting routers, will not be scanned, of course.

National Cyber Security Centre, NCSC Scanning information, information page, 1 November 2022. Available online at https://www.ncsc.gov.uk/information/ncsc-scanning-information.

Hacktivist DDoS Attacks More Bark Than Bite, Says FBI

According to a Private Industry Notification released by the FBI, the use of distributed denial of service attacks by hacktivists actually "have minimal operational impact on victims; however hacktivists will often publicize and exaggerate the severity of the attacks on social media. As a result, the psychological impact of DDoS attacks is often greater than the disruption of service".

According to the FBI, the targets of such DDoS attacks are selected precisely because of their greater perceived, as opposed to actual, impact; financial institutions, health and medical facilities, emergency services, airports and government facilities are common targets. DDoS attacks are popular with hacktivists because they require little technical knowledge, but allow the attackers to claim responsibility and 'talk up' the attack on social media, possibly recycling information that was exfiltrated in earlier attacks in order to build credibility.

FBI Cyber Division, Hacktivists Use of DDoS Activity Causes Minor Impacts, Private Industry Notification 20221104-001, 4 November 2022. Available online at https://www.ic3.gov/Media/News/2022/221104.pdf.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

RAT Threat Actor Impersonate Popular Software Download Sites

An increasingly common tactic by threat actors is creating fake download sites for popular software. Copying a web site can be done with just a few commands and a little editing, and a trojaned version of a popular program can easily be created by repackaging the original with the addition of an infostealer, backdoor or remote access trojan. From there, a small investment in Google advertising will ensure that the fake site appears at the top of a search for a software download.

Latest to adopt this tactic are the threat actors behind the RomCom remote access trojan, who have cloned the download sites for the KeePass password manager, PDF Reader Pro, and SolarWinds Network Performance Monitor. As for a previously-seen campaign, which spoofed versions of Advanced IP Scanner software, the primary target appears to be Ukraine, but this time it is possible that some English-speaking countries, including the UK, are also being targeted. As well as cloning the original download site, the threat actor also registers a similarly-named domain and obtains SSL certificates in order to appear legitimate, before running a spear-phishing campaign directed against the targets.

Blackberry Research & Intelligence Team, RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom, blog post, 2 November 2022. Available online at https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass.

Business Email Compromise Actor Targets Law Firm Clients

As reported yesterday, business email compromise attacks are growing rapidly, with the average value of fraudulent transactions also increasing quickly. Specialist email security service provider Abnormal has detailed the emergence of a new threat actor which they call Crimson Kingsnake, targeting companies in the US, Europe, the Middle East and Australia.

The group's tactic is to impersonate major law firms - the kind you really don't want to under-rate and ignore - or even debt recovery companies, sending fake invoices with a covering letter referring to an overdue payment for services performed a year or more ago. Typically, the email appears to be from a typo-squatted domain similar to that of a real law firm, with genuine logos or letterheads, address information and the name and phone number of a real attorney at the real firm. It seems possible that Crimson Kingsnake is using altered versions of legitimate invoices.

However, these emails are sent randomly, in the blind, rather than spear-phishing known clients of the law firms involved. The intention is to rely on social engineering techniques to trick an accounts payable person at the target company into approving payment of the invoice. One of these is to generate a fake email, apparently from an executive at the target company, clarifying the purpose of the invoice, referring to events that supposedly took place some months previously, and 'authorising' the AP person to proceed with payment.

Hassold, Crane, Crimson Kingsnake, BEC Group Impersonates International Law Firms in Blind Third-Party Impersonation Attacks, blog post, 4 November 2022. Available online at https://abnormalsecurity.com/blog/crimson-kingsnake-bec-group-attacks.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

ACSC Annual Cyber Threat Report Released

The Australian Cyber Security Centre has released its annual threat report, covering the period from July 2021 to June 2022, and it makes predictably depressing reading and ideal fodder for TV news lead stories. Key trends:

• Cyberspace has become a battleground (No sh*t, Sherlock! [LB])
• Australia's prosperity is attractive to cybercriminals BEC has trended towards high-value transactions such as property settlements.
• Ransomware remains the most destructive cybercrime
• Worldwide, critical infrastructure networks are increasingly targeted
• The rapid exploitation of critical public vulnerabilities became the norm (Patch, patch, patch! [LB])

The ACSC has seen a cybercrime reported every 7 minutes, on average, slightly more frequently than last year, with the most reported types being fraud, online shopping and online banking. Losses due to business email compromises amounted to over $A98 million, with an average loss of $64,000 per report.

There are lots more facts and figures, along with the expected guidance, in the report.

Australian Cyber Security Centre, Annual Cyber Threat Report - July 2021-June 2022, Australian Signals Directorate, 6 October 2022. Available online at https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022.

YAPB (Yet Another Privacy Breach)

Yet another Australian business has been hit with a breach - or, more accurately, their customers/clients have been hit. In this case, the victims are tenants, landlords and tradespeople whose personal data was accessed by an unauthorized and unidentified third party via the rental property database of Melbourne real estate agency Harcourts.

Customers were notified via an email stating that the company became aware of the breach on 24 October. The breach apparently occurred via compromise of the account of a service provider, allegedly through the use of a personal device for work, rather than the more secure company-issued device - there's a lesson there about BYOD policy.

The impact for affected individuals could be severe, since the database contained full legal names, email and physical addresses, phone numbers and a copy of their signature. The database also contained photo ID's supplied by tenants, and the bank details of tradespeople. Debate is once again raging about the amount of possibly unnecessary personal data that business are requesting and storing.

Hall, Amy, Advocates had warned of the dangers of a real estate data breach. It just happened, SBS News, 3 November 2022. Available online at https://www.sbs.com.au/news/article/advocates-had-warned-of-the-dangers-of-a-real-estate-data-breach-it-just-happened/6mlieq0g0.

New Variant of Raccoon Stealer

In recent years, Raccoon Stealer has been one of the most successful infostealers offered by cybercriminals as Malware-as-a-Service, but it disappeared in March 2022. However, it re-emerged as a new variant in July 2022, and has reached new levels of activity.

An article from specialist malware analysis and hunting firm Any.Run breaks down the operation of Raccoon Stealer. The malware's operation kicks off with extensive antiforensics checks, with the goal of abandoning execution in a sandbox or under a debugger - Any.Run's analysts had to develop some workarounds to get it to run so they could examine its behaviour.

It starts by dynamically loading the Windows API libraries it will need, and then decrypts various strings and C2 server details. Next, it checks the system locale, and will terminate if it finds itself running in a Russian-affiliated (CIS) country. After checking whether it has System (or LocalSystem) admin privileges, it enumerates processes and connects to its C2 servers for instructions about what kind of data to collect.

Apart from basic system information, Raccoon Stealer will look for credentials saved in browsers, session cookies, banking data, cryptocurrency wallets, and credit card information, but it can also exfiltrate arbitrary files. The Any.Run article provides a full analysis of how it performs these actions, with decompiled code for we masochists who enjoy reading the stuff.

Uncredited, Raccoon Stealer 2.0 Malware Analysis, blog post, 30 August 2022. Available online at https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Insights into Initial Access Brokers and Ransomware Victims

A new report from strategic threat intelligence firm KELA provides some fascinating insights into the scale and operations of the top ransomware gangs, the industry sectors and countries they are targeting, and the role of initial access brokers in selling network access to the ransomware gangs.

The most prolific ransomware and data leak actors in Q3 2022 were LockBit, Black Basta, Hive, Alphv/BlackCat and the relatively new BianLian, and while they targeted the US most - with 40% of ransomware and extorion attacks - European countries were next in line. The explanation, presumably, is very simple: that's where the money is. It also makes sense that the most-targeted industry sector was professional services - that's where the sensitive data is.

During Q3 2022, KELA traced over 570 network access listings for sale, which would give the initial access brokers a total revenue of around $US4 million. The average price for access was around $US2800 and the median, $US1350. The number of listings was only slightly higher than Q2, but the prices are rising.

Borochov, Sarit, Ransomware Victims and Network Access Sales in Q3 2022, technical report, October 2022. Available online at https://ke-la.com/wp-content/uploads/2022/10/KELA-RESEARCH_Ransomware-Victims-and-Network-Access-Sales-in-Q3-2022.pdf.

Ransomware Impact on US Banks: $US 1.2 Billion

The US Department of Treasury's Financial Crimes Enforcement Network (FinCEN) has released it Financial Trend Anaysis of ransomware trends. The report, released in conjunction with the International Counter Ransomware Initiative Summit, is based on Bank Secrecy Act (BSA) data, and shows a significant increase in ransomware-related filings during the second half of 2021.

Among the notable findings:

• Reported ransomware-related incidents have substantially increased from 2020 levels.
• Ransomware-related BSA filings in 2021 approached $1.2 billion.
• Roughly 75 percent of the ransomware-related incidents reported to FinCEN during the second half of 2021 pertained to Russia-related ransomware variants.

FinCEN identified 84 ransomware variants during the period of this review; all of the top five highest-grossing ransomware variants in this period are connected to Russian cyber actors.

Uncredited, FinCEN Analysis Reveals Ransomware Reporting in BSA Filings Increased Significantly During the Second Half of 2021, news release, 1 November 2022. Available online at https://www.fincen.gov/news/news-releases/fincen-analysis-reveals-ransomware-reporting-bsa-filings-increased-significantly.

Webinar and FAQ on Cyber Insurance

Sticking with the theme of ransomware: one concern is that cyber insurance policies are distorting the ransomware market by incentivizing victims to simply pay the ransom, since the cost will be covered by an insurance policy. Some insight into this process can be found in an interesting webinar and FAQ provided by Trend Micro, in which their cyber risk specialist, Vince Kearns talks to the VP of Insurance at iBynd, an InsurTech broker that specializes in cyber insurance.

The top question is pretty obvious: What are the most important cyber insurance policy coverages for businesses? And here is the answer:

1. Notification and expense coverage
   After customer data is compromised, there are state-regulated notification requirements an organization must follow. Cyber insurance companies help navigate and handle the notifications and expenses associated with them such as hiring a forensics expert to identify the cause of the breach, monitoring the affected individuals’ credit score, and paying costs to restore stolen identities.
   
2. Business interruption
   Remember when Kaseya, a US ransomware attack, led to Swedish supermarket chain, Coop, shutting down 800 stores? If Coop had business interruption coverage, it would help recoup (no pun intended) some or all the lost revenue.
   
3. Liability
   In the event a group or individual decides to sue your business after a breach – for example, for negligence because you didn’t have the right security controls and procedures in place to stop sensitive data from being compromised — liability coverage would assist with legal expenses and/or settlement costs.
   
4. Funds transfer fraud
   The FBI estimates that since 2016, business email compromise (BEC) attacks have caused $43B in losses. If an unsuspecting employee falls victim to a BEC scam, funds transfer fraud covers helps cover losses.
   
5. Ransom/extortion
   If you find yourself being extorted after cybercriminals encrypt and potentially exfiltrate sensitive data, this coverage will help you attribute the threat actor, negotiate, and pay on the behalf of the business to regain access.

The FAQ continues, deliving into the factors that affect policy pricing, the role of risk rating services like Security Scorecard and Bitsight, the effect of cryptocurrency on ransomware policy coverage and other useful information.

Trend Micro staff, Cyber Insurance Market 2022: FAQs & Updates with iBynd, blog post, 5 August 2022. Available online at https://www.trendmicro.com/en_us/ciso/22/h/cyber-insurance-market-2022.html.

OpenSSL 0day Patches Appearing - But No Big Deal

The expected patches for the widely-noised OpenSSL 3.0 vulnerabilities have now started to flow through the supply chain, but as also expected, there was a lot of smoke but not much fire, primarily due to the fact that OpenSSL 3.0.x is not yet widely deployed.

CVE-2022-3602 is a buffer overflow (in 2022?) in the code for name constraint checking in X.509 certificate verification, but its exploitation would require a certificate authority to sign a malicious certificate (or the verifying application to ignore the absence of a path to a trusted issuer), and could conceivably lead to remote code execution. CVE-2022-3786 is a similar buffer overflow (yes - in 2022) which could crash a system.

The update has now started to flow through software distribution channels - our only vulnerable machine, a dev/test server, updated its OpenSSL installation around 0330z on 2 November. The Dutch NCSC is running a Github page listing software which incorporates OpenSSL, along with vulnerability status, at https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md.

Uncredited, OpenSSL Security Advisory [01 November 2022], security advisory, 1 November 2022. Available online at https://www.openssl.org/news/secadv/20221101.txt.

Australia's Shadow Security Minister Embarrassed By Site Hack

Liberal Senator James Paterson, chairman of Parliament's Joint Committee on Intelligence and Security in the previous Liberal/National Coalition government, has been embarrassed by the revelation that the website of an organization he had founded had been overrun by for over a year by hackers posting thousands of pages touting illegal and dubious products, including "endorsements of graphic pornography, cryptocurrency schemes, apparently non-prescription use of steroids and an erotic, Russian version of poker".

The site also hosted pages promoting spyware, keystroke loggers and, for a litle over an hour after queries were sent to the Senator, a gateway for credit card payments (adult membership: $120.00).

Senator Paterson has been a strong proponent of increasing government powers to monitor the Internet to counter foreign threats, and to increase the powers of the Australian Cyber Security Centre, and so after the site was shut down, senior Liberals promptly referred the case to the ACSC.

There is no suggestion that Senator Paterson was directly responsible for the administration of the site, which had fallen into disuse. However, it was minimally maintained and secured, and there was a definite failure of governance in this case.

Robertson, James and Matthew Elmas, James Paterson's cyber hard line undermined as website is overrun by bots, The New Daily, 2 November 2022. Available online at https://thenewdaily.com.au/news/politics/2022/11/02/james-paterson-cyber-security-embarrassment/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

International Counter Ransomware Summit

The White House has brought together over 35 countries, the EU and multiple private sector firms for a two-day summit to discuss how best to counter ransomware attacks. US Government officials attending included FBI Director Christopher Wray, national security adviser Jake Sullivan, Deputy Treasury Secretary Wally Adeyemo and Deputy Secretary of State Wendy Sherman.

The administration was prompted to act by the increasing level of ransomware activity, citing recent high-profile attacks such as that on the LA Unified School District. The situation is doubtless being exacerbated by the amount of money being paid to ransomware operators, which allows them to buy and develop 0day exploits, which will, in turn, lead to even more money being paid, etc.

While the summit will focus on improving system reslilence and developing techniques to disrupt threat actors' activities, I dare say the idea of legislation to ban the payment of ransoms will be a hot topic.

Uncredited, White House invites dozens of nations for ransomware summit, news report, 31 October 2022. Available online at https://apnews.com/article/technology-european-union-business-christopher-wray-wally-adeyemo-aff98eba1c7470f9b0128c882971547d.

EdTech Company Chegg Earns Wrath of Federal Trade Commission

For many years, student-focused web site Chegg has been the bane of academics, with its support for sharing of exam questions, class assignments and solutions, etc. The growth of this and similar sites have forced educators to produce completely new exam papers and assignments each year, a heavy workload.

Now comes news that Chegg itself has let its users down, suffering multiple breaches over the last five years and exposing the personal data of millions of students. According to a complaint before the Federal Trade Commission, Chegg's scholarship search service collects sensitive personal information from its users, including 'religious denomination, heritage, date of birth, parents' income range, sexual orientation and disabilities', as well as videos of tutoring sessions that included users' images and voices.

This data is stored in AWS S3 buckets, which Chegg allegedly has failed to reasonably secure. The FTC complaint documents four breaches over a three-year period; in one case, the use of a single AWS access key that provided full administrative privileges over all data allowed a former contractor to access the data of millions of users which was later found for sale online. This dump included plaintext (!) passwords for 25 million accounts.

Other breaches, primarily via phishing attacks, gave access to both student and employee data which again was found for sale online. (I dare say some universities would be keen buyers, as they investigate cases of alleged plagiarism!)

Khan, Lina M., et. al., Complaint In the Matter of CHEGG, INC., a corporation, FTC Complaint docket 202-3151, October 2022. Available online at https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf.

News for CISSP's

(ISC)² Board Election Opens With Dubious Ballot Form

The election for the (ISC)² Board has opened today with an online voting form which provides the five candidates put forward by the current Board for the five open positions - in other words, not much of an election at all.

As regular readers will be aware, an alternate slate of five candidates is standing as write-in candidates (I have reprinted their information below). However, the online ballot form provides only one position for a write-in candidate; in the opinion of many members, a fair form would provide as many write-in slots as there are open positions.

Many members are irate; some are voting but writing in multiple candidates in the one field (which will possibly not be counted as a valid vote), while others are complaining to Member Services. Others are considering legal action, and at least one request for investigation of the organization's non-profit status has been raised with the IRS.

Overall, the mood is that the election should be cancelled and only restarted once the ballot form has been fixed to comply with the requirement to allow for multiple write-in candidates as stated in section IV.8 of the Bylaws. (ISC)² is unlikely to comply.

Alternative Slate for Upcoming (ISC)² Election

As those certified by (ISC)² should know by now, the election for the upcoming vacancies on the Board of the organization will open on 1 November. As previously discussed, the current Board has nominated only five candidates for the five vacancies - a move that renders the election moot - as well as proposing a set of contentious changes to the By-Laws which will further disenfranchise the membership.

Several members who had nominated for Board positions - some of them with previous experience and, more to the point, continued engagement with the members - have asked the voting members to consider them as write-in candidates. With the assistance of Stephen Mencik (one of those stepping forward) I have assembled the following information:

Here are the members asking for your support - and, I would suggest, offering you theirs:

• Wim Remes - Belgium - member number 97080
• Stephen Mencik - US - member number 10288
• Richard Nealon - Republic of Ireland - member number 4205
• Sami O. Koskinen - Finland - member number 54813
• Diana-Lynn Contesti - Canada - member number 5053

For those interested in more information about the five people asking for your write-in votes, here are their information pages:

• For Stephen Mencik - https://sites.google.com/view/smm-petition

The above site was used in an attempt to gain enough petitions to get on the ballot via that route. There are links to his resume and to the skillset questions and answers from the nomination process, and letters of recommendation. Mr. Mencik is ISC2 Member number 10288 and holds CISSP-ISSAP, ISSEP. Mr. Mencik also did most of the work on the counter-proposals for by-laws found at https://jsweb.net/isc2.

• For Diana-Lyn Contesti - https://sites.google.com/site/dlcpetitionboard/home

This site was used by Ms. Contesti in an attempt to gain enough petitions to get on the ballot. It contains a summary of her qualifications. Ms. Contesti is ISC2 member number 5053 and holds CISSP-ISSAP, ISSMP, CSSLP, SSCP.

• For Wim Remes - https://www.be-represented.org/

This site was used by Mr. Remes in an attempt to gain enough petitions to get on the ballot. It contains a summary of his qualifications. Mr. Remes is ISC2 member number 97080 and holds CISSP.

• For Richard Nealon - https://sites.google.com/view/RN-petition-isc2-board

This site was used by Mr. Nealon in an attempt to gain enough petitions to get on the ballot. It contains a summary of his qualifications. Mr. Nealon is ISC2 member number 4205 and holds CISSP-ISSMP, SSCP.

• For Sami O. Koskinen - http://www.linkedin.com/in/sami-koskinen-429624

The link is to Mr. Koskinen's Linked profile, which gives a summary of his qualifications. Mr. Koskinen is ISC2 member number 54813 and holds CISSP-ISSMP.

I would urge all those entitled to vote to visit the pages above and consider carefully before voting.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Finnish Police Identify Vastaamo Hacker

The National Bureau of Investigation in Finland has been making progress in its investigations of the massive privacy breach of mental health care provider Vastaamo.

For those who missed the original incident, Vastaamo suffered a breach which encrypted their patient records and held them ransom. When the company CEO refused to negotiate with the attackers, they responded by releasing sensitive patient records on a dark web server, and then turned to extorting payments from the patients themselves. It appears that the company's software was only minimally secured and did not comply with Finland's regulations for healthcare records systems. The CEO was terminated and has now been charged with a data protection offence, facing up to a year in prison. Prosecutors claim that infosec management at the company was in "absolute chaos when it comes to available resources, budget, using and utilising the necessary expertise, and training and skills". The company itself was subsequently liquidated.

On 27 October , the Helsinki District Court remanded a Finnish man, about 25 years old, in absentia on probable cause of aggravated computer break-in, attempted aggravated extortion, and aggravated dissemination of information violating personal privacy. The suspect was remanded in absentia, since police established that he lived abroad, and a European arrest warrant has been issued against him. He can be arrested abroad under this warrant, after which the police will request his surrender to Finland. An Interpol notice will also be issued against the suspect.

Teivanen, Aleksi, Prosecutors: Vastaamo's information security was in absolute chaos, Helsinki Times, 5 October 2022. Available online at https://www.helsinkitimes.fi/finland/finland-news/domestic/22293-prosecutors-vastaamo-s-information-security-was-in-absolute-chaos.html.

Poliisi, One person remanded in absentia for Vastaamo hacking incident, news item, 28 October 2022. Available online at https://poliisi.fi/-/yksi-vangittu-poissaolevana-liittyen-vastaamon-tietomurtoon?languageId=en_US.

SQLite Vulnerability Fixed, 22 Years On

The SQLite database engine project has released a fix for a format string parsing vulnerability that was originally introduced into version 1.0.12, back in the days of 32-bit systems in October 2000. CVE-2022-35737 was uncovered by researcher Andreas Kellas, and affects modern 64-bit systems; how it manifests depends on whether it is compiled with stack canaries enabled or not.

Essentially, the vulnerability can be exploited by passing large strings to the SQLite implementation of printf() when the format string contains the %Q, %q or %w format specifiers - any of these will cause the program to crash. But in the worst case, if the format string contains the ! special character to enable unicode character scanning, then it is possible to achieve arbitrary code execution, or at least cause the program to hang.

The impact of this vulnerability could be massive, since SQLite is used as a database in all kinds of systems, especially embedded systems. It is also disappointing since SQLite has a good security track record. Users are advised to update to version 3.39.2.

Kellas, Andreas, Stranger Strings: An exploitable flaw in SQLite, blog post, 25 October 2022. Available online at https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/.

Kaspersky Details APT10 LODEINFO Backdoor

Security company Kaspersky has published a new two-part report on the operation of the LODEINFO backdoor, which is being used by the Chinese Cicada group, APT10, in attacks against Japanese media groups, diplomatic agencies and government and public sector organizations.

APT10's intial access tactics have been continually evolving, and they have continued to obfuscate LODEINFO to make detection more difficult. They are now delivering LODEINFO via a spear-phishing malmail which carries a self-extracting RAR file containing the legitimate K7Security Suite executable, NRTOLD.exe. However, the RAR also contains a malicious DLL name K7SysMn1.dll, and when NRTOLD.exe is executed, rather than load the genuine DLL, the attackers rely on the Windows DLL search path vulnerability to load the malicious DLL from the same folder as the .EXE. Since the DLL is side-loaded and heavily obfuscated, it may not be detected by security applications.

Another variant uses VBA code in a password-protected Word file to download shellcode which is injected into the memory of the WINWORD.EXE process.

In fact, six different variants of LODEINFO appeared during 2022, the APT10's TTP's appear to be rapidly evolving.

Ishimaru, Suguru, APT10: Tracking down LODEINFO 2022, part 1, blog post, 31 October 2022. Available online at https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/.

Ishimaru, Suguru, APT10: Tracking down LODEINFO 2022, part 2, blog post, 31 October 2022. Available online at https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/.

Don't Forget That OpenSSL Patch!

A reminder that the OpenSSL Project team will release a patch for a significant vulnerability in version 3 today, November 1st, between 13:00 and 17:00 UTC. While many Linux distributions still use version 1 of OpenSSL, recent distributions have moved to version 3, and so users should monitor their upstream repositories for an update to version 3.0.7.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.