Les Bell and Associates Pty Ltd
Blog entries about Les Bell and Associates Pty Ltd
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
More Ransomware Attacks Target Ukraine, Poland
Microsoft Threat Intelligence Center (MSTIC) has been tracking a ransomware campaign rageting logistics and transportation firms in Ukraine and Poland. This follows earlier attacks on the same industry, presumably to weaken Ukraine's defences against Russia, but is quite distinct from the previous attacks, which used AprilAxe (ArguePatch) / CaddyWiper or Foxblade (HermeticWiper) to target Ukrainian critical infrastructure over the last two weeks.
The new malware identifies itself, in its ransom note, as "Prestige ranusomeware", and was deployed over a one-hour period on 11 October. In all cases, the attacker had already gained highly-privileged access, such as domain admin privileges - perhaps from a previous compromise. Three distinct methods were used to deploy the ransomware; two copy the malware to the ADMIN$share on a remote system and make use of the Impacket WMIexec tool to either create a scheduled task or run a PowerShell command to run it. The second technique copies the payload to an AD domain controller and then distributes it via Group Policy.
The MSTIC report provides a complete analysis, IoC's and recommended customer actions.
Microsoft Threat Intelligence Center, New "Prestige" randomware impacts organizations in Ukraine and Poland, blog post, 14 October 2022. Available online at https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/.
Yet Another Australian Privacy Breach
Australia continues a long streak of privacy breaches - or perhaps it's just that the media, with heightened awareness following last month's Optus breach, is keener to report them. The latest victim is online wine dealer Vinomofo, which reports that "an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website".
Vinomofo is believed to have approximately half a million customers, but it is not clear how much, or what kinds of, information was accessed, but likely at risk are names, addresses, email addresses, phone numbers and - required for alcohol sales - dates of birth. The company has reported the breach and warned customers to be alert for scam activity.
Shepherd, Tory, Vinomofo data breach: 500,000 customers at risk after wine dealer hit by cyber-attack, The Guardian, 18 October 2022. Available online at https://www.theguardian.com/australia-news/2022/oct/18/vinomofo-data-breach-cyber-attack-hack-australian-wine-seller.
QAKBOT Adds Brute Ratel as Second Stage
QAKBOT, which first emerged as an infostealer in 2007, gradually morphed into a 'malware-installation-as-a-service' model that was often a precursor to ransomware infections. Now, Trend Micro researchers report on a new phase of QAKBOT operations, shifting to the distribution of the recently-cracked Brute Ratel post-exploitation framework.
The new campaign starts with a spam email containing a malicious link to a password-protected .ZIP file which, in turn, contains a .ISO file- likely a way to escape the Windows "Mark of the Web" which flags files downloaded from the Internet as untrusted. The .ISO image contains a shortcut named "Contract" along with two hidden subdirectories, which in turn contain the actual malware. A JavaScript fragment runs a batch file which then invokes the QAKBOT DLL.
Ten minutes later, the malware makes contact with the QAKBOT C2 servers, and then waits a further 6 minutes before performing some automated reconnaisance using LOLbin commands. Five minutes later, it drops the Brute Ratel DLL, and a few minutes after that, manual reconnaisance activities begin.
Curiously, Cobalt Strike is used for lateral movement which, if not stopped, will likely end with domain-wide ransomware deployment.
Kenefick, Ian, Lucas Silva and Nicole Hernandez, Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike, blog post, 12 October 2022. Available online at https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Fashion Company Fined for Privacy Breach Coverup
The parent company of women's fashion site Shein has been $US1.9 million following an investigation by the Attorney General's office in New York State. The investigation found that the company had failed to properly safeguard customer data, using a weak hashing algorithm, storing some credit details as plaintext and failing to reset customer passwords or otherwise protect accounts following the breach.
Shein minimized the impact of the breach, stating only that the names, email addresses and "encrypted password credentials" of approximately 6.42 million customers had been stolen. In fact, 39 million accounts were exposed, worldwide, with only a small fraction being notified. Worse still, the claim that the company had "seen no evidence that credit card information was taken from our systems" was blatantly false, since it was unaware of the breach until notified by a payment processor that its systems appeared to have been compromised and card data stolen.
The company, Zoetop Business Company, Ltd, will now have to maintain a comprehensive information security program that includes robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice and prompt password resets.
Cluely, Graham, Fine for Shein! Fashion site hit with $1.9 million bill after lying about data breach, Bitdefender blog, 18 October 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/fine-for-shein-fashion-site-hit-with-1-9-million-bill-after-lying-about-data-breach/.
PHP Infostealer Masquerades as Cracked Software Installer
The Ducktail Infostealer has been operating since late 2021, and is attributed to an otherwise unidentfied Vietnames threat group. It was based on a binary written using .NetCore, and used a Telegram channel for C2. The campaign targeted users with access to their employers' Facebook
Business accounts, with the intent of stealing data and hijacking the
accounts.
A new variant has now emerged, written - somewhat curiously - in the PHP programming language. The malware masquerades as a free or cracked installer for a variety of applications, including games, Microsoft Office, Telegram and other programs, and is distributed in ZIP file format via a number of file sharing platforms. The new version looks for a broader range of information, including browser cookies, cryptocurrency account information and more, although it still searches Facebook Business accounts and related pages. The new variant also has a new C2 mechanism, exchanging JSON messages with a dedicated web server, where it also stores exfiltrated data.
Dewan, Tarun and Stuti Chaturvedi, New PHP Variant of Ducktail Infostealer Targeting Facebook Business Accounts, Zscaler blog, 13 October 2022. Available online at https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts.
Red Team / Blue Team Visualization Tool
The US Cybersecurity & Infrastructure Security Agency has released RedEye, an interactive open-source analytic tool to visualize and report red team command and control activities. RedEye allows Blue Teamers to quickly assess complex data and evaluate mitigation strategies, enabling effective decision making.
CISA, RedEye -visualizing Penetration Testing Engagements, YouTube video, 15 October 2022. Available online at https://www.youtube.com/watch?embed=no&v=b_ARIVl4BkQ.
cisagov, RedEye, GitHub repository, 15 October 2022. Available online at https://github.com/cisagov/RedEye/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Dutch Police Exploit Bitcoin Slowness to Recover Ransomware Keys
The Dutch National police have been able to recover over 150 ransomware decryption keys from the Deadbolt ransomware gang and, presumably, restore file access for the victims. The technique they used was suggested by security firm Responders.NU, and relies on the way in which Bitcoin confirms transactions.
After a Bitcoin node verifies a transaction it then transmits the transaction to its neighbours. Sooner or later, the transaction will be picked up by Bitcoin miners, which will assemble the transaction into a candidate block and then try to validate the block, which typically takes around ten minutes. Once one succeeds, it will be incorporated into the blockchain and broadcast. However, to be considered irreversible, a transaction needs to be six blocks deep in the blockchain, which will take around an hour, before it is confirmed.
Therein lies the problem for the DeadBolt gang: when a victim paid the ransom, the DeadBolt automated system would create an automated bitcoin transaction in reply, containing the decryption key, without waiting for confirmation. The police then simply canceled the original transactions. Together with the police, Responders.NU created a website (https://deadbolt.responders.nu/) where DeadBolt victims who have not yet been identified can check whether their key is one of those recovered.
It was nice while it lasted, but inevitably, the gang discovered what was going on and modified their system to require Bitcoin confirmation.
Uncredited, Unique intervention on ransomware gang Deadbolt, news release, 14 October 2022. Available online at https://www.politie.nl/nieuws/2022/oktober/14/09-nederlandse-gedupeerde-geholpen-in-unieke-ransomware-actie.html.
Magniber Ransomware Spreads As JavaScript
Because it needs to needs access to low-level operating system API's to perform file encryption - not to mention disabling protection features like Windows' volume shadow copy service - ransomware generally needs to be a native binary executable, and will often rely upon some other exploit code to perform the initial infection.
However, in September HP Wolf Security detected a ransomware campaign that targeted home users with a website drive-by attack, using a ZIP file containing JavaScript code which would masquerade as a software update. The JavaScript code used a twist on the DotNetToJScript technique, allowing it to assemble and run a .NET executable in memory. The advantage of this technique is that by not creating a file, the malware evades detection tools that monitor file creation, and also leaves nothing behind on disk for analysts to use. The .NET code also de-obfuscates some shellcode and injects it into another process, which then runs the actual ransomware code.
From here, the code follows the well-trodden path of disabling backup and recovery features, then encrypting files before placing a ransom note in each directory and opening a browser window to display it.
Although this campaign targeted home users, enterprises can expect similar attacks as other groups pick up on this fileless approach to evading detection. The report from HP Threat Research provides further details, including IOC's.
Schläpfer, Patrick, Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates, blog post, 13 October 2022. Available online at https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/.
Microsoft Office Coders Make Rookie Crypto Mistake
Attendees at our SE221 CISSP Fast Track courses are familiar with the various techniques (OpenPGP, S/MIME, etc.) which are used for end-to-end email security. Equally, they are familiar with the dangers of using ECB (Electronic Code Book) mode with symmetric block ciphers: ECB is vulnerable to a variety of attacks - especially chosen-plaintext and chosen-ciphertext attacks - but worst of all will leak information when used to encrypt plaintext that has large-scaled structure imposed on repeated small sequences of data, such as bitmapped graphics.
This has caused lots of problems over the years - for example, when everyone switched to Zooming from home in 2020, it didn't take long for someone to discover that Zoom was using ECB mode to encrypt video and audio. Adobe's giant data breach of 2013 - which affected over 3 million customers - was, at base, down to exactly the same problem.
But the Redmondites have always considered themselves the smartest men in the room, and so everyone else's experience didn't stop them from using ECB mode in Office Message Encryption (OME) and - worst of all - to stick with it despite the risks. Now Finnish security consultancy, With Secure, has pointed this out to the world, and also notified it as a vulnerability to Microsoft - only to be told,
"The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report."
At the very least, the Microsofties should have used Cipher Block Chaining mode, although they would probably have shot themselves in the foot with a weak way of selecting an initialization vector. Better still, use Galois Counter mode, which is both efficient and also provides authenticity of origin. There is no mitigation, short of switching to S/MIME or OpenPGP email encryption; that will at least limit the impact to Microsoft's reputation only.
Sintonen, Harry, Microsoft Office 365 Message Encryption Insecure Mode of Operation, blog post, 14 October 2022. Available online at https://labs.withsecure.com/advisories/microsoft-office-365-message-encryption-insecure-mode-of-operation.
Woolworths Suffers Data Breach, Medibank Hit By Ransomware?
Two more Australian companies have disclosed cyber-attacks. Supermarket giant Woolworths lost control of an estimated 2.2 million customer records via the MyDeal online shopping site, of which they acquired 80% in September. While only the email addresses were leaked for 1.2 million customers, roughly a further million also had their names, phone numbers, delivery addresses and, in some case, birth dates exposed.
The saving grace for Woolworths is that MyDeal operates on a completely separate platform from the parent company. It seems that access was gained via compromised user credentials - perhaps a phishing attack?
And on Wednesday of last week, insurance group Medibank "detected unusual activity on its network" and by the following morning had taken immediate containment actions as well as engaging external assistance. The insurer shut down some customer-facing systems and also cut them off from internal customer support staff.
The affected systems seem to have been restricted to their 'ahm' general insurance subsidiary as well as health insurance for international students. By late Friday, the company had restored services and stated that "we have found no evidence that our customer data has been accessed".
Details are scant, but to the less-than-casual observer, this incident just screams ransomware. Let's hope they're right about exfiltration . . .
AAP, Woolworths says 2.2 million MyDeal customers' details exposed in data breach, The Guardian, 15 October 2022. Available online at https://www.theguardian.com/australia-news/2022/oct/15/woolworths-says-22-million-mydeal-customers-details-exposed-in-data-breach.
Uncredited, Medibank cyber incident - Important information for our customers, web page, 14 October 2022. Available online at https://www.medibank.com.au/health-insurance/info/cyber-security/.
News for CISSP's
(ISC)2 Moving to Eliminate Board Elections?
The International Information Systems Security Certification Consortium, (ISC)2, which oversees the CISSP, CCSP and other industry certifications, came under criticism from members a few weeks ago for the fact it put forward five candidates - and only five candidates - for the five open board positions, despite the fact that many others had nominated for the election.
At a subsequent Town Hall, the CEO dismissed concerns, stating that the board needed more representation from non-US members (although many of the nominees discounted were from outside the US). Now it seems that the organization is further seeking to disenfranchise the membership, with a number of questionable amendments to the bylaws, which 'members' will have to vote on over the next month, starting on 16 October.
Some of the changes are fairly obvious and sensible, but towards the end of the list they become contentious, especially this section:
Updates related to future Board of Directors elections include:
- Changing election language to clarify that the Board of Directors will submit a slate of qualified candidates to the membership equal to the number of open seats
- Modifying the signed written petition rules to require 1% of overall membership in good standing
- Removing the option for a write-in candidate
Finally, the last change is to the annual meeting of the members which updates the right of petition language from 500 signatures to 1% of the global membership in good standing, to align with the updated petition requirement for elections.
Note that this not only enshrines the unpopular practice of the Board selecting the election candidates, but also raises the bar for petitions from 500 signatures to 1% of the overall membership - which equates to approximately 1500 signatures, which is going to be impossible in practice (especially outside the US).
Concerned CISSP Stephen Mencik has proposed an alternative set of changes to the bylaws, including the addition of external directors (with particular responsibility for the Ethics subcommittee), improved remote participation (to encourage international diversity) and especially more openness and transparency in the board election process. Mr. Mencik is seeking support (500 signatures required - for now) and interested readers are encouraged to review his proposals and endorse them, at https://jsweb.net/isc2/.
In any case, we recommend that readers who are certified take time to read the details of the proposed changes to bylaws, including the full 35 pages of the 2022 Annual Meeting and Bylaws Proxy Materials (below), and carefully consider them before voting.
(ISC)2 Management, Proposed Amendments to (ISC)2 Bylaws - Member Vote Opens Soon, blog post, 7 October 2022. Available online at https://blog.isc2.org/isc2_blog/2022/10/proposed-amendments-to-isc2-bylaws-member-vote-opens-soon.html.
Proxy Materials for Annual Meeting of the Members, International Information Systems Security Certification Consortium, Inc, 5 October 2022. Available online at https://www.isc2.org/-/media/956A62F1A1084D45A6D3AF4AC9E25EFA.ashx.
Mencik, Stephen, ISC2 By-Laws Changes Proposal, web page and petition form, undated. Available online at https://jsweb.net/isc2/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Thermal Attacks Crack Passwords
Researchers at the University of Glasgow have developed a system called ThermoSecure which can crack passwords by using a thermal imaging camera to take a photo of a keyboard after a user has typed a password. Images captured by the camera appear more bright the more recently they were touched, and with some assistance from AI, the system can crack 86% of passwords when images taken within 20 seconds of the user typing.
Although the success rate dropped to 76% when images were taken within 30 seconds and 62% after 60 seconds. The success rate drops as passwords got longer - six-character passwords were always breakable , but even with passwords of 16 characters, the system could break 67% of passwords after 20 seconds.
Suggested mitigations include using backlit keyboards, as these produce more heat, or switching to alternative authentication mechanisms such as biometrics.
Barker, Dan, Heat from fingertips can be used to crack passwords, researchers find, Evening Standard, 10 October 2022. Available online at https://www.msn.com/en-us/news/technology/heat-from-fingertips-can-be-used-to-crack-passwords-researchers-find/ar-AA12NcEW.
Room Temperature Quantum Network Repeater for Brooklyn Navy Yard
Quantum networking startup Qunnect has announced a round of funding that will permit it to build a testbed quantum key distribution network linking buildings in Brooklyn's historic Navy Yard. The Qunnect hardware is unique in that it operates at room temperature and can fit in conventional server racks.
To date, Qunnect has received funding from the DoE and other government agencies, but has announced $US8 million in funding from Airbus Ventures, The New York Ventures Fund, and others.
Current quantum key distribution devices work by transmitting photons over fiber optic cables, but are subject to light attenuation, which loses more photons as the cable length increases. This means the networks need repeaters, which are the obvious vulnerable point in a QKD network. Qunnect's devices use lasers to create pairs of entangled photons, one of which is temporarily stored in a phial of rubidium vapour while the other is sent over the fiber to the next repeater, where it is entangled with a photon from another pair, and the process continues.
By using the rubidium vapour quantum memory, rather than conventional semiconductor memory, the repeater assures confidentiality; any attempt to observe the quantum state will collapse it, triggering the generation of a new key. And although preserving quantum state is notoriously tricky, rendering quantum computers vulnerable to noise, the Qunnect device can store and release the quantum state of single photons with 95% fidelity, and for up to 0.8 ms, which is enough for communication over "metropolitan scale" quantum networks.
Pasternack, Alex, A new quantum network in Brooklyn opens the door to an untappable internet, Fast Company 12 October 2022. Available online at https://www.fastcompany.com/90793603/a-new-quantum-network-in-brooklyn-opens-the-door-to-an-untappable-internet.
Timing Attack Opens Possibility of Supply Chain Attacks in Private NPM Packages
As expected, the NPM registry API will return an HTTP 404 (Not found) response code for private packages when queried by an unauthenticated and unauthorized user. However, researchers at Aqua Nautilus have discovered that there is a significant difference in the time taken to return this result for a private package that does not exist vs a private package that does exist.
This leaks information about the existence of private packages, including packages that were once public but were converted to private. From this, the attackers can create malicious packages in NPM's public scope; leading to a supply-chain attack.
Kadkoda, Yakir, Private npm Packages Disclosed via Timing Attacks, blog post, 12 October 2022. Available online at https://blog.aquasec.com/private-packages-disclosed-via-timing-attack-on-npm.
Drones Used to Deliver Wi-Fi Credential Stealer, Access Confluence Page
Greg Linares reports, via Twitter, the discovery of a sophisticated attack on a financial services company involving the use of two DJI drones to deliver tools to the rooftop of the company's building.
The first drone, a DJI Phantom, was carrying what was described as a 'modified Wifi Pineapple Device' - a specialised Wi-Fi pen-testing device from Hak5. This was used to capture the credentials of a user, which could then be used to access the corporate wi-fi network. Having obtained these credentials, the attackers then hard-coded them into a second set of tools - a "Raspberry Pi, several batteries, a GPD series mini laptop, a 4G modem, and another wifi device" - loaded onto the second drone, a DJI Matrice 600.
This landed near an HVAC vent and was slightly damaged, but still operable, and was used to target a Confluence page on the intranet. This activity was detected, an investigation launched and quickly focused on the wifi network when it was discovered that the user whose credentials had been used was logged in both via the wifi and from home several miles away. Signal tracing and investigation with a Fluke wifi tester led the team to the roof, where the drones were discovered.
Linares, Greg, This will be a thread discussing ..., Twitter thread, 11 October 2022. Available online at https://twitter.com/Laughing_Mantis/status/1579550302172508161.
Yet Another Attack Framework
Cisco Talos researchers have discovered yet another attack framework which they assess, with moderate confidence, is being used in the wild. The framework, which is delivered as a single 64-bit Linux executable, has RAT payloads compiled for Windows and Linux, and is written in the Go programming language.
'Alchimist' [sic], and its matching C2 tool, has a web interface written in Simplified Chinese. It can generate a configured payload, establish remote sessions, deploy a payload to its victims, capture screenshots, run shellcode remotely and run arbitrary commands.
In most respects, Alchimist is similar to the Manjusaka C2 framework previously reported by Talos; the only major difference is that Manjusaka makes use of the Gin web framework and an existing asset bundling framework called packr, while Alchimist implements those features as native Go code.
Raghuprasad, Chetan, Asheer Malhotra and Vitor Ventura, Alchimist: A new attack framework in Chinese for Mac, Linux and Windows, blog post, 13 October 2022. Available online at https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
DNS Cache Poisoning Allows Website Account Takeovers
DNS cache poisoning has long been identified as a potential attack vector. The problem is this: DNS requests for name->address lookups contain a randomly-set ID field, and the client resolver or caching DNS that sends such a request will only accept a reply that contains the matching ID. But with only a 16-bit ID field, this is vulnerable to a birthday paradox attack - by triggering lots of such requests, and jamming in spoofed replies with his chosen IP address, the attacker can eventually (and surprisingly quickly) insert the address he wants to send victims to as part of a pharming or other attack.
The fix for this is to add more randomness by randomizing the UDP (or TCP, for large queries) port that sends the request and expects the reply; this will give roughly a 60,000-fold increase in the difficulty of this attack. Other mitigations include using DNSSEC, or running DNS over TLS.
However, by using a clever trick of getting web servers to send email confirmations for account sign-ups, researchers at SEC Consult have been able to profile several thousand domains, and discovered that a significant proportion of web servers have not implemented these controls and remain vulnerable to cache poisoning. They have gone on to develop a proof-of-concept attack that will inject a fake MX (mail exchanger) record into a caching DNS or resolver, allowing a password reset email to be sent to the attacker, leading to account takeover. Although they have used this to achieve the full takeover of fully patched WordPress instances, the same technique could be applied to most web servers and sites.
Longin, Timo and Clemens Stockenreitner, Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style, blog post, 6 October 2022. Available online at https://sec-consult.com/blog/detail/melting-the-dns-iceberg-taking-over-your-infrastructure-kaminsky-style/.
BazarCall Evolves, Ramps Up Attacks
The BazarCall spin-off of the Conti ransomare gang, which we first mentioned in Security News: 2022-08-12, is ramping up its attacks around the world and evolving new social engineering tactics. The basic tactic starts with a fake email containing an invoice with a unique number, together with a phone number which the recipient can call to cancel a renewal or otherwise dispute the transaction.
Now, researchers at Trellix have captured samples of BazarCall emails and called the phone numbers to learn their tactics and their scripts - of which there are now many. The initial emails now impersonate many brands such as Geek Squad, Norton, McAfee and others. A common tactic to all the phone scripts that follow is that the scammers ask for the unique invoice number and use it to look up the victim's email address, along with their name, address, the amount of the supposed invoice, etc. This all makes the scammer sound like an authentic customer service agent.
From there, the scripts diverge; but in general, the scammer will alarm the victim into thinking their account has been compromised, possibly through some kind of malware that has infected their computer. From there, the script begins to resemble a classic tech support scam call; the scammer will convince the victim to download a trojan dropper which will, in turn, download either remote access software or some other malware which gives persistent access and allows credential stealing, or perhaps ransomware.
Kapur, Daksh, Evolution of BazarCall Social Engineering Tactics, blog post, 6 October 2022. Available online at https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html.
Microsoft (Optionally) Locks Out Admin Accounts
One of the classic attacks on Windows machines is brute forcing local admin accounts, using protocols like RDP (Remote Desktop Protocol). I suspect some readers weren't even born in the heyday of tsgrind and similar tools, which worked because Windows did not support account lockouts on admin accounts.
All this changes today. As of the 11 October 2022 or later cumulative updates, Microsoft has implemented account lockouts. The policy can be found in the registry under
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies
The policy is not enabled by default on existing installs, and Microsoft recommends also setting the related policies to 10/10/10 - that is, 10 failed login attempts within 10 minutes will cause a 10-minute lockout. However, the policy will be enabled by default on new system installs.
Colour me sceptical; the original reason for leaving admin accounts out of lockout policies was that an attacker could implement a very effective DoS attack by simply trying a few logons and locking the legitimate admin - possibly the main user account with admin privileges - out of his own machine, and it will be interesting to see how many threat actors pick up on this technique.
Microsoft claims brute force attacks are "becoming trivial with modern CPUs/GPUs", although in practice the limiting factor is network latency, and compute power is really only relevant to offline attacks such as dictionary and Rainbow Tables attacks
In other dubious moves, Microsoft is now enforcing password complexity on new machines if a local administrator account is used, requiring at least three of the four basic character types (lower case, upper case, numbers and symbols). I thought we had abandoned password superstitions like these - in fact, NIST SP 800-63B advises against them. Still, it's good to see Not Invented Here syndrome is still rampant in Redmond.
Uncredited, KB5020282 - Account lockout available for local administrators, web page, 11 October 2022. Available online at https://support.microsoft.com/en-us/topic/kb5020282-account-lockout-available-for-local-administrators-bce45c4d-f28d-43ad-b6fe-70156cb2dc00.
Google Ups Gmail, Android, Chrome Security
At its annual Next conference, Google has announced that it will extend client-side encryption to more Enterprise and Education plans. This will provide end-to-end encryption for email users, but details are sparse, and it is not clear what protocols will be supported (OpenPGP?S/MIME?) and whether other email clients will be supported. However, enterprise customers will be able to control the keys.
In another security-related announcement, the company has added support for FIDO/W3C passkeys to both Android and Chrome, making the feature available to developers immediately via the Google Play Services beta and Chrome Canary. On Android, passkeys will allow users to sign into a website by simply confirming which account they want to use and then presenting their fingerprint, face image or screen unlock pattern/PIN when prompted. The phone passkey can also be used to sign into a website on a nearby computer. This will include cross-platform support, since passkeys are also supported by Apple and Microsoft.
Finally, Intel and Google have launched a new chip called an E2000 Infrastructure Processing Unit (also codenamed 'Mount Evans'), which offloads some network protocol processing and I/O and also improves the separation of virtual machines in cloud servers. The chip will be sold to other companies, but Google are already using it in a new class of VM's they call 'C3'.
Khalili, Joel, Gmail is getting the security upgrade it's always needed, TechRadar Pro, 12 October 2022. Available online at https://www.techradar.com/news/gmail-is-getting-the-security-upgrade-its-always-needed.
Lee, Jane Lanhee, Intel and Google Cloud launch new chip to improve data center performance, Reuters, 11 October 2022. Available online at https://www.reuters.com/technology/intel-google-cloud-launch-new-chip-improve-data-center-performance-2022-10-11/.
Mehta, Nirav, The next wave of Google Cloud infrastructure innovation: New C3 VM and Hyperdisk, Google Cloud blog, 11 October 2022. Available online at https://cloud.google.com/blog/products/compute/introducing-c3-machines-with-googles-custom-intel-ipu.
Zavala, Diego, et. al., Bringing passkeys to Android & Chrome, Android Developers Blog, 12 October 2022. Available online at https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
US Airports Hit by Russian-Speaking Hackers
The public websites of over a dozen US airports have been subjected to a DDoS attack, most likely by a Russian hacktivist group known as "Killnet", who last week claimed responsibility for a similar attack on US state government sites.
While the websites of ATL (Atlanta Hartsfield-Jackson), LAX (Los Angeles International) and other airports were inaccessible for some time, there was no disruption to flights or other airport operations, and the only impact was probably to people seeking flight arrival and departure gates, times and similar information.
Wallace, Greg, et. al., Russian-speaking hckers knock multiple US airport websites offline. No impact on operations reported, CNN, 10 October 2022. Available online at https://edition.cnn.com/2022/10/10/us/airport-websites-russia-hackers.
Emotet Emerges Once More
The Emotet malware, and its C2 network, have been around since 2014, when the malware first appeared in the form of a banking trojan controlled by a threat group called Mummy Spider. Over the years, it evolved into a sophisticated family of trojan droppers and payloads which were offered in the form of Malware-as-a-Service, with the Emotet operators specializing in the initial infection of the victims, and then on-selling them to their partners for exploitation.
However, in January of 2021, the C2 network was sinkholed in an international operation by Europol, Ukraine arrested two individuals who were behind it, and in a move that saw the end of Emotet, its C2 infrastructure was used to push an updated which uninstalled it. Other malware distributors moved into the resultant gap in the market.
But now, with the assistance of the former Conti ransomware gang and the TrickBot botnet, Emotet has been bootstrapped back into existence as a continually evolving modular exploitation toolkit. The latest incarnations go to great lengths to obfuscate the information of their C2 infrastructure - presumably to avoid being sinkholed again.
VMware Threat Analysis Unit has now released a 68-page report which details the latest 'waves' of Emotet, complete with IoC's, timelines and details of the Emotet configurations.
Bagci, Ethem, Emotet Exposed: A Look Inside the Cybercriminal Supply Chain, technical report, 10 October 2022. Available online at https://blogs.vmware.com/security/2022/10/emotet-exposed-a-look-inside-the-cybercriminal-supply-chain.html.
It's Not What You Know - It's Who You Know
In Germany, the Interior Minister, Nancy Faeser, is reported to want to dismiss the president of the Bundesamt fur Sicherheit in der Informationstechnik (BSI), the Federal information security agency. Arne Schoenbohm is suspected to have had contact with people involved with Russian security services, according to media reports.
The Cyber Security Council of Germany, of which Schoenbohm was a founder, counts as a member a German company that is a subsidiary of a Russian cybersecurity firm founded by a former KGB employee, according to the reports.
Neither Schoenbohm. the interior ministry nor the BSI has replied to requests for comment.
Mitwollen, Birgit, et. al., Germany's cybersecurity chief faces dismissal, reports say, Reuters, 10 October 2022. Available online at https://www.reuters.com/world/europe/germanys-cybersecurity-chief-faces-dismissal-reports-2022-10-09/.
Hackers Start Their Day With Caffeine
Phishing has long been by far the most effective way of obtaining login credentials or delivering malmails, both techniques for initial exploitation after which an attacker can move on to install more sophisticated tools. In a new report, Mandiant researchers have detailed the operation of a new Phishing-as-a-Service (PhaaS) platform called Caffeine, which allows attackers to automate all the boring work and focus on the more interesting and productive parts of their task.
Caffeine is a polished suite of easy-to-use tools which allow anybody to craft customized phishing kits, manage intermediary redirect pages and final-stage lure pages, dynamically generate URL's for host malware payloads and even track campaign email activity. Not only is it user-friendly, it is inexpensive and also has a completely open registration process rather than being hidden in the dark web or behind encrypted messaging channels. It is also designed to have wide appeal, featuring email templates for deployment against Russian and Chinese victims.
The Mandiant report provides a comprehensive analysis of Caffeine, along with IOC's and YARA rules for detection of some of its components.
McCabe, Adrian and Steve Sedotto, The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform, Mandiant blog, 10 October 2022. Available online at https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Healthcare System Ransomware Attacks Continue
Although ransomware operators will often attack any target of opportunity - their primary goal is profit, after all - it seems that healthcare organizations are singled out for particular attention. In the latest attack, one of the largest hospital chains in the US, CommonSpiritHealth, revealed that it had experienced "an IT security issue" that took its systems down.
CommonSpirit operates over 140 hospitals, with many in Tennessee, Texas and Seattle announcing that they were affected. Patients have reported their surgery being delayed.
Collier, Kevin, Ransomware attack delays patient care at hospitals across the U.S., NBC News, 8 October 2022. Available online at https://www.nbcnews.com/tech/security/ransomware-attack-delays-patient-care-hospitals-us-rcna50919.
FBI Warns of Fake Batteries
Counterfeiting of their products has long been a problem for fashion brands such as Louis Vuitton and others, but it reaches a critical level for products such as aircraft parts, where the failure of an off-spec part can lead to tragedy. Somewhere in between these is the growing problem of counterfeit batteries; fakes may lack functionality - I found this out the hard way after purchasing a replacement phone battery and discovering that a fake lacked the NFC functionality built into the OEM product, rendering some phone application useless.
Another problem is the possibility of short battery life or low capacity, or even thermal runaway leading to a fire which could destroy a device, or worse. So serious is the problem that the FBI has issue an alert providing advice, perhaps the best of which is the old adage: if that price is too good to be true, then the battery is likely counterfeit.
Uncredited, The FBI and Intellectual Property Rights Center Warns Public of Counterfeit Battery Scams, Alert Number I-093022-PSA, 30 September 2022. Available online at https://www.ic3.gov/Media/Y2022/PSA220930.
1.2 Million Compromised Credit & Debit Cards Leaked
Researchers at Cyble, monitoring dark web carder sites, have discovered the release of a dataset of over 1.2 million debit and credit cards by a group calling themselves 'BidenCash'.
The database, which was leaked on a forum hosting mainly Russian- and English-speaking cybercriminals, provides the card number, expiry date, CVV, the cardholder's name, address, date of birth, email and phone number, and also includes the social security number of US cardholders. Sorted by number of affected consumers, the top countries are the US, India, Brazil, the UK, Mexico, Turkey, Spain, Italiy, Australia and China.
Cyble's report includes a detailed analysis and a brief history of the 'BidenCash' group.
Uncredited, 'BidenCash' Strikes Again: Over 1.2 Million Compromised Payment Cards Data Leaked, Cyble blog, 7 October 2022. Available online at https://blog.cyble.com/2022/10/07/bidencash-strikes-again-over-1-2-million-compromised-payment-cards-data-leaked/.
Intel Alder Lake UEFI BIOS Source Code Leaked
Intel has confirmed that the UEFI BIOS source code for their Alder Lake processors has been leaked to 4chan and GitHib, along with tools for building optimized BIOS images. In confirming the breach, and Intel spokesperson claimed that they do not believe this leak will expose any new security vulnerabilities, and in fact, since the code is covered by the company's bug bounty program, it is an opportunity for researchers to help harden the code.
However, researcher Mark Ermolob, who immediately set to work analyzing the code, reported that he had found previously-undisclosed MSR's (Model-Specific Registers). Since the UEFI BIOS code runs at the beginning of the secure boot process, working closely with the TPM (Trusted Platform Module), and the MSR's are typically reserved for trusted code, this could pose a problem.
Even worse, Ermolov found the private key used to sign code for Intel's Boot Guard feature, so that feature is now useless. This all suggests that there could be further serious ramifications of this breach.
Alcorn, Paul, Intel Confirms Alder Lake BIOS Source Code Leak, New Details Emerge, Tom's Hardware, 10 October 2022. Available online at https://www.tomshardware.com/news/intel-confirms-6gb-alder-lake-bios-source-code-leak-new-details-emerge.
'Fattening the Pig' - More Details Emerge
As previously reported, Cambodia-based scammers have lured thousands of people from Thailand, Vietnam, Taiwan and elsewhere to work in scam call centers under appalling conditions. Now further details have emerged, detailing threats of beatings and even electrocution for workers who fail to make quotas of roughly $US12,500 'revenue' each month, in exchange for an initial 'salary' of $US200 or, in most months, nothing. When a worker does not make enough money for the bosses, they are sold to another gang.
The scam workers target victims all over the world, using romance and investment lures, working from converted hotels surrounded by walls to prevent escape. According to the Global Anti-Scam Organization, the average loss from victims is about $US100,000.
Thai police complain of a lack of cooperation from Cambodian authorities which has hampered attempts to repatriate Thai workers. In August, one group of predominantly Vietnamese workers managed to escape, throwing Molotov cocktails to startle their guards, then running from the building to jump into the Binh Di river and swim to Vietnam, on the other bank at least 70 m away. One 16-year-old drowned, and another man was caught, dragged backwards and beaten.
Ratcliffe, Rebecca, Nhung Nguyen and Navaon Siradapuvadol, Sold to gangs, forced to run online scams: inside Cambodia's cybercrime crisis, The Guardian, 10 October 2022. Available online at https://www.theguardian.com/world/2022/oct/10/sold-to-gangs-forced-to-run-online-scams-inside-cambodias-cybercrime-crisis.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Brazilian Gang Runs Supply Chain Attack via NPM
Security researchers at CheckMarx have discovered 199 trojanized and other malicious NPM packages in a supply chain attack linked to a group called "LofyGang", which appears to be of Brazilian origin.
The gang seems to be primarily interested in collecting credit card information as well as accounts on streaming services and online gaming services, as well as Discord. They create sock-puppet accounts with names which are variations and permutations of a few key roots such as lofy, life, polar, panda, kakau, evil, devil and vilão (villain), and the presence of Brazilian Portuguese phrases in their files clued the researchers in to their origin.
Their main activity in underground hacking forums is to sell fake Instagram followers, many of which are linked to their malicious package profiles. And while they sell their malware to others, it is often trojanized - not with code in the main package, but in a dependency, to evade detection.
Harush, Jossef, LofyGang - Software Supply Chain Attackers; Organized, Persistent, and Operating for Over a Year, Checkmarx blog, 7 October 2022. Available online at https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/.
Election Interference Advisory
The FBI and CISA have published a joint public service announcement describing methods used by foreign actors to spread and amplify false information, including reports of alleged malicious cyber activity, in attempts to undermine trust in election infrastructure.
The agencies also confirmed that they "have no information suggesting any cyber activity against U.S. election infrastructure has impacted the accuracy of voter registration information, prevented a registered voter from casting a ballot, or compromised the integrity of any ballots cast.”
In short, these foreign actors have not been able to compromise election systems, but they are likely to spread a lot of sensationalized BS on social media, just to stir up doubt and mistrust.
FBI & CISA, Foreign Actors Likely to Use Information Manipulation Tactics for 2022 Midterm Elections, Alert Number I-1006622-PSA, 6 October 2022. Available online at https://www.ic3.gov/Media/PDF/Y2022/PSA221006.pdf.
Impact of Identity Theft
We all deal with the theoretical impact of data breaches and privacy breaches in our daily work; we go through risk analysis and estimate the costs of remediation, fines and judgements, reputation damage and so on. But most of us, fortunately, have never had to reckon the personal cost of identity theft.
A story in The Saturday Paper relates the real costs - not financial, but time and stress - of having your personal information stolen, in this case, by burglary, followed by online activities and social engineering. Emma Phillips' wallet and keys were stolen, along with a few other possessions - but of course it contained her driver's licence and credit cards.
Months later, somebody changed her bank account details; the bank changed them back and launched an investigation but the following day the bank took four phone calls from someone impersonating her with the correct identification details. This was followed by an attempt to empty the account from a distant branch (in the middle of COVID lockdowns that restricted travel). And so it went, for months on end, with multiple accounts affected, right down to Medicare.
A useful reminder that data which might not be particularly valuable to us can be incredibly valuable to the subject of that data.
Phillips, Emma, What happens when your identity is stolen, The Saturday Paper, 8 October 2022. Available online at https://www.thesaturdaypaper.com.au/life/2022/10/08/what-happens-when-your-identity-stolen.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
How to Not Be an Easy Mark for China
The NSA, FBI and Cybersecurity & Infrastructure Security Agency has issued an Alert which usefully lists the top vulnerabilities exploited by Chinese state-sponsored threat actors. The advisory lists each vuln with vendor, CVE number and vulnerability type - with remote code execution being the most popular type of vulnerability, for obvious reasons.
A list of suggested mitigations is also given, but the most basic message, as always, applies: patch, patch, patch. Topping the list is the venerable Log4j vulnerability, which is still being actively exploited. A proactive vulnerability management and patch management program would prevent the vast bulk of exploits, unless you are singled out for the 0day treatment.
Uncredited, Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors, Alert AA220279A, 6 October 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-279a/.
Russian Group Offers Malware-as-a-Service
Eternity (EternityTeam, Eternity Project) appeared around January 2022, offering a variety of malware, include an infostealer, cryptominer, botnet, and a DDoS bot. Now, the group has assembled its set of tools into a single multifunction bot called Lilithbot which it is selling on a subscription basis via a Telegram channel.
The Russian threat group has continually enhanced its software, adding antiforensics and other capabilities, including ransomware functionality (with video-based training for the customer). Researchers at Zscaler have analysed a sample of the malware and its C2 network, providing IOC's in their report.
Jain, Shatak and Aditya Sharma, Analysis of LilithBot and Eternity Threat Group, Zscaler blog, 5 October 2022. Available online at https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group.
Identity Service Dex Patches Consent Page Vulnerability
Open-source identity service Dex acts as a front end to other identity providers, mapping the OpenID Connect protocol to other identity protocols such as LDAP, SAML, OAuth 2.0 and Active Directory. Researchers recently discovered a vulnerability in the implementation of the Dex consent page which - if a user has previously authenticated - can be used by a malicious web site to steal an OAuth authorization code and exchange it for an access token.
This will allow the attacker to masquerade as the user, gaining full access to the user's applications - and because the exploit can be repeated, they can renew the token as required. The fix, which adds an HMAC to the protocol, has been added to Dex version 2.35.0 and later (2.35.1 required for the Google connector).
Woollacott, Emma, Dex patches authentication bug that enabled unauthorized access to client applications, The Daily Swig, 6 October 2022. Available online at https://portswigger.net/daily-swig/dex-patches-authentication-bug-that-enabled-unauthorized-access-to-client-applications.
Android & iOS Apps Steal Facebook Logins
A perennial problem, for some users, is the recurring compromise of their Facebook accounts. "Don't open any messages from me - I've been hacked!", is a common refrain on the social media platform. Often, their account has simply been cloned, but in other cases, their credentials have been stolen, and they wonder how.
Facebook parent Meta has now identified more than 400 malicious Android and iOS apps that steal Facebook credentials. A variety of apps were found, including photo editors, games, health and lifestyle apps, business or ad management apps and, of course, that old classic:: the flashlight app that does nothing but turn a light on and off, yet requires a 40 MByte download and every permission to do it.
The Meta researchers are working with Google and Apple to notify affected users and their blog article includes IoC's so researchers who care can investigate further. For users, there's a lot to be said for multi factor authentication - not to mention not downloading silly apps.
Agranovich, David and Ryan Victory, Protecting People From Malicious Account Compromise Apps, blog post, 7 October 2022. Available online at https://about.fb.com/news/2022/10/protecting-people-from-malicious-account-compromise-apps/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Browser Application Mode Enables Phishing
Application mode is a feature of Chromium-based browsers such as Google Chrome, Microsoft Edge and Brave. It allows web developers to create applications which launch and run in a browser window with no URL bar, toolbars or menu, and which display a website's favicon, rather than the browser icon, in the Windows taskbar. The browser's app mode is launched with the --app command line argument, which can also specify a target URL - which may be an https:// URL or a file:// URL for locally-sourced content (bypassing firewall filtering).
Security researcher mr. d0x has demonstrated how this can be used to create fake login forms which can be launched from a Windows shortcut .lnk file - a favourite technique by threat actors to launch loaders and other malware. With a little HTML, CSS and Javascript, just about any login prompt can be impersonated.
mr. d0x, Phishing With Chromium's Application Mode, blog post, 1 October 2022. Available online at https://mrd0x.com/phishing-with-chromium-application-mode/.
CISA Alert Details Impacket Network Manipulation, CovalentStealer Exfiltration
The US Cybersecurity & Infrastructure Security Agency, along with the FBI and the NSA, has issued a joint advisory detailing the TTP's and IOC's they observed during response to what turned out to be the activities of multiple APT's who had compromised a defense contractor's enterprise network.
Initial compromise was gained via a Microsoft Exchange server, perhaps as early as January of 2021. A compromised admin account was then used to access the Exchange server's API, and this was then followed by a series of command-line commands to investigate the system and network, as well as the collection of sensitive files. By March, the attackers had installed 17 China Chopper webshells on the Exchange server, as well as the HyperBro remote access trojan, and were pivoting to other systems.
The lateral movement was primarily achieved using the Impacket open-source toolkit, which allows remote command execution via the Windows management instrumentation API and protocols. This was followed by privilege escalation and more plundering of user's Exchange mailboxes.
Exfiltration of the data was achieved using CovalentStealer, which can automatically collect files on selected filepaths and user credentials, then exfiltrate them to a Microsoft OneDrive cloud folder, all under control of a configuration files.
Uncredited, Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization, Alert AA22-277A, 4 October 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-277a.
Online Fraudster Jailed for 25 Years
A Norcross, GA man who had banked over $US9.5 million from business email compromise, romance scams and other online frauds has been sentenced to 25 years in a federal prison for his money laundering activities. Starting in October 2018, Elvis Eghosa Ogiekpolor had, in conjunction with the money mules he directed, opened at leat 50 faudulent business bank accounts in the name of a dozen sham companies to receive the proceeds from multiple BEC scams and romance frauds. The funds were withdrawn as cash and cashier's checks, and hundreds of thousands of dollars were wired overseas.
Multiple romance fraud victims testified at trial; one was convinced to wire $US32,000 to one of Ogiekpolor's accounts because her 'boyfriend' - actually one of Ogiekpolor's co-conspirators - claimed a part of his oil rig needed to be replaced but that he bank account was frozen. She had borrowed the funds against her retirement and savings, which ultimately required her to refinance her home to repay the loan. Another victim transferred almost $US70,000 for a similar 'frozen bank account' excuse.
Several of Ogiekpolor's co-conspirators have already been convicted.
Uncredited, Georgie man who laundered millions from romance scams, Business Email Compromises, and other online fraud receives 25-year sentence, press release, 3 October 2022. Available online at https://www.justice.gov/usao-ndga/pr/georgia-man-who-laundered-millions-romance-scams-business-email-compromises-and-other.
Vm2 Vuln Allows Sandbox RCE Breakout
A popular control for servers running Node.js workloads is to run their code in vm2, a popular JavaScript sandbox, thereby isolating the server from any vulnerability in the code running on it. But what if there is a vulnerability in the sandbox code itself?
The was the question Oxeye security researchers Gal Goldshtein and Yuval Ostrovsky asked themselves, and they answered it by starting with an analysis of previous vulnerabilities previously found in the software. Realizing that a previous bug reporter had exploited the error mechanism on Node.js to escape the sandbox, they searched for similar channels between the sandbox and the underlying OS - and found one in the exception handling code.
The vulnerability they found allows remote code execution on the host server, and merits a CVSS score of 10.0. There is no mitigation, other than updating to the latest release of vm2.
Dickson, Ben, JavaScript sandbox vm2 remediates remote code execution risk, The Daily Swig, 4 October 2022. Available online at https://portswigger.net/daily-swig/javascript-sandbox-vm2-remediates-remote-code-execution-risk.
Google Hacking Video Series
A rather nice new series of docudramas, with obviously high production values, has been released by Google. The series of six stories (plus trailers and bonus episode) looks at various security teams inside Google as they respond to attacks by a nation-state actor, perform red-team penetration testing, and try to find 0day exploits.
Google, HACKING GOOGLE, video playlist, 4 October 2022. Available online at https://g.co/safety/HACKINGGOOGLE.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.