Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

US Agencies Release Guidance on Open Source in OT and ICS Environments

The US Cybersecurity and Infrastructure Security Agency, along with the FBI, NSA and Department of the Treasury, has released a new fact sheet enttitled Improving Security of Open Source Software in Operational Technology and Industrial Control Systems. This new guide is one of the priority initiatives of the JCDC (Joint Cyber Defense Collaborative) 2023 Planning Agenda, which focuses on systemic risk, collective response and high-risk communities related to critical infrastructure.

Since its distant origins, free and open source software has grown in significance, to the extent that almost every major software system - including those from former staunch advocates of proprietary code - includes several open source components. This includes operational technology (OT), which this fact sheet defines as "the hardware, software, and firmware components of a system used to detect or cause changes in physical processes through the direct control and monitoring of industrial equipment, assets, processes, and events." In this sense, industrial control systems (ICS) are a subset of OT in which networked systems control processes such as manufacturing, product handling, production and distribution.

The report identifies three challenges which OT/ICS shares with other software systems

• Dependency vulnerabilities
• Lack of commercial support
• Inadequate documentation

Dependency vulnerabilities are a common concern in software supply chains generally, but the lack of commercial support can be an obstacle for commercial customers who rely on proactive support from vendors and who do not have processes to connect into the open source community's approach to software maintenance. And I can certainly relate to the last point; I have often discovered a peculiarly-named package in a system I'm working on, wondered what it was, and tracked down the project web site only to discover no explanation of what the package actually is. Greybeard readers may remember the "Real Programmer" jokes, including "Real programmers don't write documentation. You've got the source code - what more do you need?". It's not as funny as it once was.

A related problem is the differing maintenance mindsets between the wider IT software world, which views software as highly mutable and capable of frequent patching and updates after deployment (c.f. the CI/CD pipeline so popular in cloud enviroments). Engineers running complex systems like refineries and mineral-processing plants would be horrified; these systems are subject to stringent change management policies and safety regulations, and even shutting them down for maintenance can bring huge costs.

Increasing interconnection of OT/ICS systems to conventional business IT networks brings a whole new set of risks to this world, requiring an even stronger defensive posture for the business systems.

The fact sheet makes a number of detailed recommendations for improving security of open source in OT/ICS, starting at the senior leadership level and working down. They encompass:

• Vendor support of open source development and maintenance
• Vulnerability management
• Reduction of risk exposure
• Vulnerability coordination
• Patch management
• Improved authentication and authorization policies
• Establishment of a common framework for using open source

The guide also provides an extensive listing of resources and references.

CISA, Securing Open Source Software in Operational Technology, fact sheet, 10 October 2023. Available online at https://www.cisa.gov/topics/partnerships-and-collaboration/joint-cyber-defense-collaborative/Securing-Open-Source-software-in-operational-technology. Direct PDF download at https://www.cisa.gov/sites/default/files/2023-10/Fact_Sheet_Improving_OSS_in_OT_ICS_508c.pdf.

Massive Layer Seven DDoS Attack Uses HTTP/2

From Google comes analysis of a massive distributed denial of service attack on a number of the company's cloud services and their customers. The August attack, which was delivered at layer 7 (the ISO/OSI model application layer) over the HTTP/2 protocol, was significantly larger than any previous layer 7 attack, peaking at 398 million requests per second.

The attack, which Google dubbed "Rapid Reset", was largely stopped at the edge of Google's network by its global load balancing infrastructure, with minimal impact and no outages.

Unlike the classic HTTP/1.1 protocol, which MIME-encodes binary data, bloating it into text, HTTP/2 is a much more efficient binary protocol. And where HTTP/1.1 opens a TCP connection for each object within a page, with a consequent three-way SYN/SYN-ACK/ACK handshake (and a four-way handshake when the connection ends), HTTP/2 multiplexes multiple bidirectional "streams" within a single TCP connection. This also economizes on server CPU, not to mention sockes and ports, which would constrain the number of connections between client and server. It also allows processing concurrent requests, rather than dealing with them serially, as HTTP/1.1 would do, with up to almost 100 times higher utilization of each connection.

This attack exploits a feature of the stream capabilities in HTTP/2, which allows clients to signal the server, cancelling a stream by sending a RST_STREAM frame. This can be done unilaterally, and the client may also assume that the server will cancel the stream immediately, before processing any other data from that TCP connection. The Rapid Reset attack works like this: the client opens a large number of streams at once, but rather than waiting for a response to each request stream from the server (or an intermediate proxy), it simply cancels each request immediately. According to Google's researchers:

So the attack is cheap - in terms of network bandwidth - for the attacker by expensive for the server.

Since the original attack, Google has seen some variants on the Rapid Reset attack which are not as efficient, but probably still more efficient than standard HTTP/2 attacks. One variant, for example, does not cancel streams at once, but instead waits for some time, in order to bypass mitigations which monitor the rate of inbound RST_STREAM frames. A second variant simply tries to overwhelm the server with more streams than it can handle.

Google has deployed a number of mitigations for the Rapid Reset attack variants and is working on others, in conjunction with industry partners. It has reserved CVE-2023-4487 to track the fixes to the various HTTP/2 implementations.

It seems unlikely that Rapid Reset will work against HTTP/3, which uses Google's QUIC protocol, with UDP rather than TCP as the transport. Nonetheless the firm recommends proactive implementation of some similar mechanisms to limit the amount of work done by a single transport connection.

Snellman, Juho and Daniele Iamartino, How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack, blog post, 11 October 2022. Available online at https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack.

'Son of Mirai' Adds More Exploits

Speaking of distributed denial of service attacks, remember the heady days when the Mirai IoT botnet set new records? Mirai itself is long gone, but its DNA (code, really) lives on in descendants such as IZ1H9, which has recently updated its arsenal of exploits, with payloads for D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link, Korenix and TOTOLINK devices in a variant recently sighted by Fortiguard Labs researchers.

Their blog post is littered with CVE's, indicating the number of exploits in this new, rapidly-evolving variant. It has attacked tens of thousands of consumer-level devices, primarily through remote code execution exploits, amassing a large botnet.

The full report from Fortiguard Labs Threat Research provides a detailed analysis of the various exploits, along with IOC's and an offer of free training to protect against phishing attacks.

Lin, Cara, IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits, blog post, 9 October 2023. Available online at https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
  

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Vulnerabilities in Supermicro BMC Firmware

Back in December last year, we reported on vulnerabilities in the AMI MegaRAC software which runs on the baseboard management controller circuitry of many servers in order to provide server management in data centers. Only a month later came news that two other vulnerabilities had been discovered at the same time by security firm Eclypsium, who had given AMI time to develop mitigations.

Now it's Supermicro's turn in the barrel, accordint to a new report from Binarly who have examined the firmware for Supermicro X11 v 1.66, discovering seven vulnerabilities:

• CVE-2023-40289 - a command injection vulnerability in the BMC server back end (CVSS 3.x score 9.1, Critical)
• CVE-2023-40284 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 9.6, Critical)
• CVE-2023-40287 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 9.6, Critical)
• CVE-2023-40288 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 9.6, Critical)
• CVE-2023-40290 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 8.3, High)
• CVE-2023-40285 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 8.6, High)
• CVE-2023-40286 - a cross-site scripting vulnerability in the BMC server front end (CVSS 3.x score 8.6, High)

(At time of writing, most of those vulnerabilities are not yet in the National Vulnerability Database.)

The first vulnerability allows an authenticated attacker to gain root access and completely compromise the system, persisting through BMC reboots and leading to lateral movement within the data center infrastructure. The next three cross-site scripting vulnerabilities allow allow execution of arbitrary JavaScript code in the context of a logged-in BMC user, leading to privilege escalation via creation of a new admin account and - hey presto! - CVE-2023-40289 is now available.

The remaining three XSS vulnerabilities also allow execution of arbitrary JavaScript code, but depend on additional conditions to succeed, making them more difficult. However, these seven vulnerabilities collectively offer a chain which can lead to exploitation of the server OS via legitimate iKVM BMC functionality or by flashing the UEFI BIOS of the target system with malicious firmware to achieve persistence.

Binarly are highly critical of Supermicro's response, claiming the firm's calculations of lower CVSS scores reflect a misguided attempt to minimise the impact of the vulnerabilities. Supermicro customers are urged to patch their systems as soon as possible, and also to follow the advice in the NSA's information sheet on BMC hardening.

Binarly Research Team, Binarly REsearch Uncovers Major Vulnerabilities in Supermicro BMCs, blog post 3 October 2023. Available online at https://binarly.io/posts/Binarly_REsearch_Uncovers_Major_Vulnerabilities_in_Supermicro_BMCs/index.html.

National Security Agency / Central Security Service, NSA and CISA Release Guide to Protect Baseboard Management Controllers, press release, 14 June 2023. Available online at https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3426648/nsa-and-cisa-release-guide-to-protect-baseboard-management-controllers/.

NSA and CISA, Harden Baseboard Management Controllers, cybersecurity information sheet, June 2023. Available online at https://media.defense.gov/2023/Jun/14/2003241405/-1/-1/0/CSI_HARDEN_BMCS.PDF.

Trend Micro Offers Managers a Guide to Cybersecurity Risk Assessment

Security firm Trend Micro has published an article on risk management which won't tell information risk management professionals anything they don't know, but is a nice introduction to send to busy managers who need to appreciate the basics. It ends with a gentle pitch for the firm's Vision One EDR/XDR product, as one might expect, but is easily readable and contains some links to other relevant non-technical articles on, e.g. cyber risk quantification.

Clay, Jon, A Cybersecurity Risk Assessment Guide for Leaders, blog post, 5 October 2023. Available online at https://www.trendmicro.com/en_us/ciso/23/b/cybersecurity-risk-assessment.html.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
  

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

NSA, CISA Highlight Common Security Misconfigurations

A new advisory released by the NSA and CISA highlights the most common cybersecurity misconfigurations identfied by the agencies during red team/blue team assessments conducted by their Hunt and Incident Response teams. The 10 most common network misconfigurations are:

1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution

The advisory explains each category of misconfiguration, with examples, and maps them to the MITRE ATT&CK and D3FEND frameworks. Taking just the first category as an example - Default configurations - these are mainly default credentials and default service permissions and configurations settings:

The other categories are given similar treatment, with details of the typical vulnerabilities and the exploits they enable. The focus in this section is not so much on mitigation, as on work that should have been performed earlier, as systems are installed and deployed. For example, many of these misconfiguration problems should have been dealt with during a system hardening and automated audit process, for example, using SCAP (Security Content Automation Protocol), or even earlier, during system design and development.

There is one exception, however, and that is poor credential hygiene, which currently has to be dealt with via security education, training and awareness (remember, October is Cybersecurity Awareness Month so now is the time to get on top of this). In the long run, of course, the answer lies in the use of multi-factor authentication and cryptographic techniques which will hopefully see an end to passwords altogether (well, we can dream . . .).

Having said that, the advisory concludes with two long sets of tables of mitigations - one for defenders of production systems and networks, and one for software manufacturers. Think of this as a long 'to-do list' to be pinned to the wall; there's a good chance some of these tasks have been overlooked in your environment. The final section of the advisory is a list of references, which itself points to a lot of useful information.

CISA, NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations, cybersecurity advisory AA23-278A, 5 October 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a. Direct PDF download at https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
  

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Forwarded Emails Breached Patient Confidentiality

The personal details of 192 patients at the Royal Women's Hospital in Melbourne have been compromised in a data spill.

In this case, the hospital's systems, such as the Electronic Medical Record system (which is shared with three other institutions), its email system and other IT systems, have not been compromised. Rather, the spill occurred when a staff member forwarded work emails to their personal email account, "to review and coordinate their patient appointments and care approaches". It was the personal email account that was compromised, and no medical records have been compromised.

The affected patients are being contacted; at this stage no data seems to have been posted on the dark web but this is certainly a future possibility.

There are many obvious problems with the use of email to share work records, especially when medical professionals often work in both hospitals and their own professional rooms, not to mention hybrid work patterns. A better approach would be to support remote access to the required applications for data management, either via VPN or perhaps a zero trust architecture approach; this would also ensure that all data access is subject to the appropriate application-based access controls.

But in this case, it seems that work email was being used anyway - which leads to the next question: why did the staff member forward the email to a personal account? Could the work email system not be accessed externally? If that is the case, why - is that a deliberate architecture/policy choice? If so, it's an outstanding demonstration of the old saw that users will always find a work-around for over-restrictive security controls.

9 News staff, Almost 200 patients at major Melbourne hospital caught up in data leak, 9 News, 5 October 2023. Available online at https://www.9news.com.au/national/data-breach-royal-womens-hospital-melbourne-victoria-health-news/74175702-20e2-4ca7-818c-6695aa6edaa9.

Malicious npm Packages Deliver r77 Rootkit

Yet another in the apparently never-ending stream of supply chain attacks - this time via npm, the package manager for the JavaScript server runtime, node,js.

Discovered by ReversingLabs researchers, this particular campaign relies on an easily-overlooked confusion over package names: a developer looking for the package node-hide-console-window (which controls visibility of an application's console window) instead stumbles across node-hide-console-windows. Just one little 's' makes all the difference - although the developers of the malicious package were careful to make the npm page for their trojaned version look very similar to the genuine package's, right down to the version history.

In essence, this is similar to the typosquatting attack more commonly used by phishing campaign operators.

The ReversingLabs researchers discovered the malicious package during a routine scan of the npm public repository and immediately noticed that it was owned by a new account not connected to any other npm projects. Examination of the index.js file revealed that it would download and run an executable, which turned out to be DiscordRAT 2.0, an open-source remote access trojan; this particular variant was created only 10 days before the publication of the malicious node-hide-console-windows package.

The RAT would create a channel to an associated Discord server and fetch an initial payload, then wait for additional commands. In addition to all the usual commands expected in a RAT, it also boasts a !rootkit command, which allows the operator to launch the r77 rootkit on the victim. r77 is a fileless ring 3 rootkit which can disguise files and processes in order to evade their detection; in this case when it is launched it create two registry subkeys to hide the RAT's executable and its process.

The latest two versions of the malicious node-hide-console-windows package have additional functionality to also download a compiled version of the the Blank-Grabber Python infostealer.

The ReversingLabs blog post gives a detailed analysis along with IOC's for the malicious packages and second stage payloads.

Valentić, Lucij, Typosquatting campaign delivers r77 rootkit via npm, blog post, 4 October 2022. Available online at https://www.reversinglabs.com/blog/r77-rootkit-typosquatting-npm-threat-research.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
  

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Confluence 0-day Exploited; Atlassian Releases Updates

A newly-discovered 0-day vulnerability - CVE-2023-22515 - in Confluence Data Center and Confluence Server is under active exploitation. Atlassian considers the vulnerability to be critical, and stated in an advisory:

Atlassian has rushed out new versions of Confluence Data Center and Confluence Server which fix the vulnerability: versions 8.3.3, 8.4.3 and 8.5.2. Customers are urged to update to these (or later) versions. Versions prior to 8.0.0 are unaffected, as are Atlassian Cloud sites (i.e. those hosted by Atlassian in the atlassian.net domain).

Atlassian's security advisory also provides a suggested reconfiguration for mitigation on those installations which are unable to update immediately, as well as some IOC's.

Atlassian, CVE-2023-22515 - Privilege Escalation Vulnerability in Confluence Data Center and Server, security advisory, 4 October 2023. Available online at https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html.

CISA, NSA Developer and Vendor Guidance on IAM

A new publication written by the Enduring Security Framework - a CISA- and NSA-led public/private cross-sector working group - addresses the key challenges faced by developers and vendors in easing the adoption and secure deployment of multi-factor authentication and single-sign-on technologies. The report focuses on technical gaps and challenges, enabling developers and integrators to refine their existing tools to address these and, if necessary, develop new tools,  but also touches on non-technical issues like cost, staffing and user experience.

Among the key issues identified is MFA terminology and definitions. For example, "2-step verification", "two-factor authentication" and "multi-factor authentication" are used interchangably, along with vague terms like "push notification" which do not map cleanly to technical security properties such as those defined in NIST SP 800-63. This makes it difficult for customers to compare a range of technologies with subtle technical differences and different levels of assurance.

Both vendors and customers often exclude public-key infrastructure from consideration as MFA, a point I often make during classes: to log in to various servers, I have to have both my SSH private key (something I have) and the passphrase which unlocks that key (something I know) - does that count as two factor authentication? Audiences are divided, but this report takes the view that it does.

The report also discusses the complexity and usability challenges for SSO and federated identity management, such as the tradeoffs between functionality, complexity and usability, and the issues of ensuring SSO can enable secure MFA across all use cases, including privileged access, such as high-level admin accounts used in setting up SSO itself.

The report concludes with 11 recommendations, from standardization of terminology to further research into development of a secure-by-default, easy to use, SSO system to address the gaps in the market.

CISA, CISA and NSA Release New Guidance on Identity and Access Management, cybersecurity advisory, 4 October 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/10/04/cisa-and-nsa-release-new-guidance-identity-and-access-management. PDF report directly available online at https://media.defense.gov/2023/Mar/21/2003183448/-1/-1/0/ESF%20IDENTITY%20AND%20ACCESS%20MANAGEMENT%20RECOMMENDED%20BEST%20PRACTICES%20FOR%20ADMINISTRATORS%20PP-23-0248_508C.PDF.

Apple Rushes Out Kernel Fix

Apple has released an emergency security update for iPhones and iPads, following discovery of a 0-day vulnerability which was being actively exploited. The vulnerability, CVE-2023-42824, in the XNU kernel, allowed a local privilege escalation; Apple said that "this issue may have been actively exploited against versions of iOS before iOS 16.6".

The update also fixes CVE-2023-5217, a heap buffer overflow vulnerability in libvpx.

Apple, About the security content of iOS 17.0.3 and iPadOS 17.0.3, security advisory, 4 October 2023. Available online at https://support.apple.com/en-us/HT213961.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

GPU and DSP Vulnerabilities Actively Targeted

The security landscape has developed a sudden nasty rash of vulnerabilities in the drivers for GPU (Graphics Processing Unit) and DSP (Digital Signal Processing) chips - and what's worse, these vulns are being actively exploited in attacks.

Qualcomm

Qualcomm was notified by the Google Threat Analysis Group and Google Project zero that three vulnerabilities are under limited, target exploitation. The vulnerabilities are:

• CVE-2023-33106
• CVE-2023-33107
• CVE-2023-33063
• CVE-2022-22071

At the time of writing, most of these do not appear in the National Vulnerability Database, but CVE-2022-22071 was described in Qualcomm's May 2022 Security Bulletin, as a use-after-free vulnerability in Automotive Android OS. There's no real information about the first three vuln's in Qualcomm's October 2023 Security Bulletin, though, other than a statement that:

However, the bulletin does cover three other critical vulnerabilities:

• CVE-2023-24855 (CVSS v3.x score 9.8): Use of out-of-range pointer offset in modem causing memory corruption in Qualcomm’s Modem component occurring when processing security-related configurations before the AS Security Exchange.
• CVE-2023-28540 (CVSS v3.x score 9.1): Improper authentication in Data Modem caused by a cryptographic issue in the Data Modem component arising during the TLS handshake.
• CVE-2023-33028 (CVSS v3.x score 9.8): Memory corruption in the WLAN firmware occurring while copying the pmk cache memory without performing size checks.

ARM Mali GPU Driver

Similarly, Maddie Stone of Google's Threat Analysis Group and Jann Horn of Google Project Zero have disclosed a vulnerabilityin ARM's Midgard, Bifrost, Valhall and Arm 5th Gen GPU architecture kernel drivers:

CVE-2023-4211 (CVSS 3.x score: ARM Mali GPU kernel driver use-after-free vulnerability allows a local non-privileged user to access already freed memory via improper GPU memory processing operations

The issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0, but there is evidence that it is under limited, targeted exploitation, and CISA has added it to its Known Exploited Vulnerabilities Catalog.

ARM, Mali GPU Driver Vulnerabilities, advisory, 2 October 2023. Available online at https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities.

Qualcomm, October 2023 Security Bulletin, advisory, 2 October 2023. Available online at https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2023-bulletin.html.

ShellTorch RCE Vulnerability Affects AI Models

PyTorch is a popular open-source machine learning framework which is widely used in production, often via TorchServe. TorchServe is an open-source package for serving and scaling PyTorch models, primarily used in training and developing AI models. While TorchServe is maintained by Meta and Amazon, it counts Amazon, OpenAI, Tesla, Microsoft, Google and Intel among its users.

Now researchers at Oligo Security have reported the discovery of a number of a number of critical vulnerabilities in TorchServe which provide an exploit chain leading to remote code execution. Thousands of vulnerable instances are publicly exposed, including many at the companies named above.

The default configuration of TorchServe accidentally exposes the management interface to the entire world (by binding to all interfaces rather than just localhost), without any form of authentication. This can be combined with CVE-2023-43654, a server-side request forgery vulnerability (CVSS 3.x score 9.8) in the management interface that provides remote code execution, allowing configuration uploads from any domain. The researchers also found that TorchServe can be exploited via an unsafe deserialization vulnerability in the SnakeYAML library (CVE-2022-1471), giving a malicious model the capability of remote code execution.

The exploitation chain, called "ShellTorch", ends with the complete takeover of an AI model - and there are tens of thousands of exposed instances of vulnerable TorchServe applications around the world.

The vulnerabilities are present in TorchServe versions 0.3.0 through to 0.8.1. However, version 0.8.2 only partially mitigates CVE-2023-43654 by alerting the user to the possibility of uploads from invalid domains. Users should go through additional steps to secure their TorchServe installations by editing the config.properties file:

Oligo have also made available a tool which can check a TorchServe installation for the vulnerabilities. Their blog post contains a full write-up and description.

Levcovich, Idan, Guy Kaplan and Gal Elbaz, ShellTorch: Multiple Critical Vulnerabilities in PyTorch Model Server (TorchServe) (CVSS 9.9, CVSS 9.8) Threatens Countless AI Users - Immediate Action Required, blog post, 3 October 2023. Available online at https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

AI Leading to Security Arms Race

We have often seen arms races in infosec over the years, as hackers discover an vulnerability and develop an exploit, the defenders work up a defence against that exploit, the hackers develop a workaround for that defence, the defenders block that workaround, and so the cycle continues until finally, the fundamental vulnerability is fixed with a patch that passes all the regression tests. A classic example is Microsoft's response to directory traversal attacks against IIS, which was met with the Unicode exploit for directory traversal, and when MS blocked that, the bad guys responded with Double Decode and so on it went. . .

The complexity and subtleties of large language models used in generative AI applications, especially chatbots, seems likely to lead to similar arms races, as hackers experiment with jailbreaks and prompt injections to work around programmatic prohibitions intended to prevent the AI apps doing the bad guys' work for them.

In a new example devised by Denis Shiryaev, he was able to overcome Bing Chat's initial refusal to solve a CAPTCHA image. When shown the CAPTCHA as a simple image, Bing Chat immediately recognised it and explained that it could not help, since the CAPTCHA "is a type of challenge-response test used to determine whether or not a user is human".

However, Shiryaev superimposed the CAPTCHA image onto the image of a pair of hands holding a locket, and then submitted that image along with a sob story:

The embedding of the image onto a surround locket and hands, along with the new prompt context of the lost dearly-loved grandma, was enough to jailbreak the Bing Chat block on simple CAPTCHA solving, and it solicitiously replied:

This is yet another way in which a large language model can be tricked into doing something that would normally be forbidden by its inbuilt safeguards. Essentially, GPT-4, which underlies Bing Chat, sets about answering this prompt from a different starting point in its knowledge graph, thus bypassing its defences against simple CAPTCHA-solving.

Microsoft and OpenAI are now going to have to come up with a defence for this - simply filtering for "grandma" and "locket" in prompts would defeat this particular exploit, but is obviously simplistic and easy to get around. One might posit the use of an LLM to examine potentially malicious inputs - but we are now in a recursive spiral which ends in what Douglas Hofstadter termed a "strange loop", since the filtering LLM itself could be exploited, and we ultimately end up against Kurt Gödel's incompleteness theorem.

Expect the fun and games with AI jailbreaks and prompt injection to continue for years to come.

Shiryaev, Denis, I've tried to read the captcha with Bing . . . , X post, 1 October 2023. Available online at https://twitter.com/literallydenis/status/1708283962399846459?s=20.

BunnyLoader: Rapidly-Evolving Malware-as-a-Service

A new piece of malware discovered being sold on cybercrime forums in early September by Zscaler ThreatLabz offers a lot of functionality to its purchasers. Termed "BunnyLoader", this new example of Malware-as-a-Service (MaaS) sells for the princely sum of only $US250, but incorporates the ability to download and execute a second-stage payload, and can also function as a stealer, with the ability to extract system information and user credentials from browsers, to work as a keystroke logger and to replace cryptocurrency wallet addresses on the clipboard with the threat actor's own wallet addresses. The stolen information can then be uploaded in ZIP format to a command and control server.

Written in C/C++, BunnyLoader is a fileless loader; in other words, it can download and execute further malware stages in memory, leaving no artifacts on disk for analysis. It also incorporates antiforensic techniques such as sandbox detection to further avoid analysis. It also offers remote command execution via a reverse shell.

BunnyLoader is also rapidly evolving, with eleven different releases seen by ThreatLabz during September alone. Purchasers get access to a web C2 dashboard listing tasks such as:

• downloading and executing additional malware
• keylogging
• stealing credentials
• manipulating a victim’s clipboard to steal cryptocurrency
• running remote commands on the infected machine

as well as statistics, active tasks and the stealer logs. Running this kind of malware really does not require mAd l33t skillz at all. . .

The Zscaler ThreatLabz blog post provides a detailed technical analysis, as well as IOC's.

Shivtarkar, Niraj and Satyam Singh, BunnyLoader, the newest Malware-as-a-Service, blog post, 29 September 2023. Available online at https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

October is Cybersecurity Awareness Month

It's October already, and it seems like only a year since it was last October. Why is this significant? Because in both Australia and the US, and quite probably elsewhere, it is Cybersecurity Awareness Month, during which governments encourage enterprises to raise awareness, and also to raise public awareness of cybercrime and privacy concerns. The Australian Cyber Security Centre received a cybercrime report every 7 minutes during the 2021-2 financial year, an increase of 13% from the previous year, and there is no reason to believe things have improved in the last year.

We do our bit by making available a short talk for local government and community groups on Baseline Security for Small and Medium Enterprises; we also allow guest access to its accompanying course page whch contains additional resources (all the links within this story point to resources within that course or to external resources). Many of its recommendations are equally applicable to microbusinesses, self-employed professionals and private individuals, and it's no surprise that our recommendations overlap with this year's advice from the government agencies. Let's look at a few key points.

Proactive Patching

Both the major US and Australian agencies are this year recommending proactive patching of devices and systems. For smaller businesses and individuals, there is really no reason not to simply enable the default automatic updates of Microsoft, Apple and Google operating systems and applications. Large enterprises are different; they have complex, mission-critical systems running internally-developed and externally-sourced software which require extensive regression testing of the patches in a lab setting to ensure stability. And while this is being done, these systems are well-defended behind many layers of firewalls, endpoint security and intrusion prevention systems which will prevent their vulnerabilities being successfully exploited.

For small business and individuals, the situation is different; their systems are much simpler, often consisting primarily of the office suites provided by the operating system vendors, who have already done all the required regression testing to ensure that their OS patches don't break their apps, and vice-versa. And their systems are not surrounded by multiple layers of defence, but mininally-defended, so that any delay in applying patches increases the likelihood of successful exploitation.

In short: check for updates on a weekly basis, ideally every Wednesday morning for Windows systems, so as to catch Microsoft's monthly US Tuesday release of patches. Macs, iPhones and Android phones are generally similarly configured to auto-update. Yes, it's sometimes a pain to have to reboot after patches have been applied, but it is well worth it.

Strong Passphrases, Password Managers and Multi Factor Authentication

Both the US and Australian agencies recognise the importance of defending against online credential theft, and are suggesting various defensive techniques:

Strong Passwords - or, better, Passphrases

Unfortunately, the US Cybersecurity and Infrastructure Agency is giving outdated advice stating that "Strong passwords are long, random, unique and include all four character types (uppercase, lowercase, numbers and symbols)". This has long been known to be counter-productive as the resulting passwords are hard to memorize and users inevitable have to write them down or, after several logon failures, will give up and reset their passwords to something simpler. In fact, Special Publication 800-63B from the US National Institute of Standards and Technology, which provides guidance to US government agencies, deprecates any requirements for password complexity, instead recommending support for very long passphrases and only requiring a minimum of eight characters.

It's better to follow the advice of the Australian Cyber Security Center, to use passphrases: "Passphrases are passwords that use 4 or more random words". Just don't use "correct horse battery staple" 😁

Both agencies recommend the use of password managers to generate and store passphrases.

Multi-Factor Authentication

Best of all, enable multi-factor authentication on online accounts, especially email (Gmail, MS Outlook), social media and financial accounts. Where possible, make use of security keys such as Yubikeys (strongest), or mobile app-based authenticator applications such as Google Authenticator, Microsoft Authenticator or Authy (strong). Complain to companies and service providers who do not support these but instead rely on six-digit text-message verification codes (weak), as these are easily hacked and are now deprecated (again, see NIST SP 800-63B).

Backups

The ACSC recommends backing up important files. I'd go further, and recommend backing up each complete system.

The most important point is to store backups offline and, ideally, off-site. In other words, after backing up the system - say, to an external USB hard drive - you should unplug the backup drive so that it cannot be reached by ransomware or any other malware that infects your system. That way, should you fall victim to ransomware, the backup itself will not be encrypted and held ransom, and you can successfully boot from backup media and restore the lost files to get back to work.

Storing a backup off-site provides a last line of defence against disasters such as fires and flooding. While you can arranges this by, for example, storing a copy of backup media in some secure location, it is increasingly easy to make backups to cloud storage such as Amazon S3 or Google Cloud Storage (although this, in turn, introduces new threats unless secured properly).

After doing a detailed comparison of different products a few years ago, I settled on R-Drive Image to backup my Windows systems, buying multiple licences for our machines. It has never let me down and has saved my proverbial behind on several occasions. See https://www.drive-image.com/ for information. I also run both local and cloud backups, nightly, for our office NAS devices.

Controlled Folder Access

Speaking of ransomware, you should be aware that a backup alone cannot provide full protection against modern ransomware gangs. This is because, prior to encrypting and locking up your files, the ransomware uploads copies to the gang's command and control servers, and they may threaten to release your data publicly. It is much better to prevent ransomware - and other malware - from getting a foothold in the first place.

Large enterprises do this via a technique known as application safelisting (also application whitelisting or allowlisting) which will only allow a short list of approved programs to run on users' computers. However, application safelisting software can be quite expensive as it is intended for centralized management of many computers.

A free alternative that is well worth investigating is already built into Windows 10 and later, in the form of Controlled Folder Access. You can find this by going to the Windows Security dashboard (the blue sheild icon in the systray at lower right of the desktop), then clicking "Virus & threat protection" followed by "Manage ransomware protection".

Controlled folder access works with two lists - one of approved application programs, and one of the folders these programs are allowed to access. By default, many popular programs - e.g. the Microsoft Office suite - are enabled by default, as are the folders they generally use. If you have other programs - for example, I have a number of special-purpose editors and word processors - they will need to be added manually (this can be tedious, but stick with it!).

However, once controlled folder access is turned on, other programs - such as ransomware - will be blocked from running, and even the approved programs will be blocked from accessing other folders. There are no 100% guarantees, as there are some advanced techniques which can get around it, but tests have shown that controlled folder access will block most of the common ransomware.

Other Guidance

There's some other plausible advice in the government agencies' Cyber Awareness Month strategies, but it's less actionable and less certain. For example, CISA says, "Recognise & Report Phishing", but all the evidence suggests that this is far from easy - especially now that the phishing operators are using generative artificial intelligence to write better email lures for this and other scams.

Australian Cyber Security Agency, Cyber Security Awareness Month, web page, October 2023. Available online at https://www.cyber.gov.au/learn-basics/view-resources/cyber-security-awareness-month.

US Cybersecurity & Infrastructure Security Agency, Cybersecurity Awareness Month, web page, October 2023. Available online at https://www.cisa.gov/cybersecurity-awareness-month.

Les Bell and Associates, Baseline Security for Small and Medium Enterprises, online course, undated. Available online at https://www.lesbell.com.au/course/view.php?id=7.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

CISA Adds Multiple Exploited Vulnerabilities

This week, CISA has added five vulnerabilities to its Known Exploited Vulnerabilities Catalog:

• CVE-2023-41179 - Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability
• CVE-2023-41991 - Apple Multiple Products Improper Certificate Validation Vulnerability 
• CVE-2023-41992 - Apple Multiple Products Kernel Privilege Escalation Vulnerability
• CVE-2023-41993 - Apple Multiple Products WebKit Code Execution Vulnerability
• CVE-2018-14667 - Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability

CISA, CISA Adds One Known Exploited Vulnerability to Catalog, cybersecurity advisory, 21 September 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/09/21/cisa-adds-one-known-exploited-vulnerability-catalog.

CISA, CISA Adds Three Known Exploited Vulnerabilities to Catalog, cybersecurity advisory, 25 September 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/09/25/cisa-adds-three-known-exploited-vulnerabilities-catalog.

CISA, CISA Adds One Known Exploited Vulnerability to Catalog, cybersecurity advisory, 28 September 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/09/28/cisa-adds-one-known-exploited-vulnerability-catalog.

WebP Vulnerability More Widespread Than First Thought

Of course, Apple should not be singled out over that WebKit code execution vulnerability - lots of browsers (and many server systems) have had to be updated this week due to a vulnerability in the libwebp library for rendering and processing images in the WebP format.

CVE-2023-4863 was initially considered to be a heap-based buffer overflow vulnerability in the Chrome browser. The vulnerability could be exploited by a malicious web page which contains a specially crafted image, giving the attacker remote code execution.  However, the vulnerability is really in some heap memory allocation code in the Huffman compression decoding routine. This was initially tracked as CVE-2023-5129 (since retired and replaced with CVE-2023-4863).

A similar vulnerability existed in Apple's code (CVE-2023-41064) as well as Chrome (CVE-2023-4863). Furthermore, libwebp is widely used in web content management systems, including WordPress and Drupal, as well as web languages such as Python and Node.js.

As we reported earlier this month, CVE-2023-41064, in particular, was exploited in the wild before its discovery by CitizenLab, who reported that it was being used as part of a zero-click deployment chain - called BLASTPASS - for NSO Group's Pegasus spyware.

A new report from Rezilion ties all this together rather nicely, and includes a list of affected products, including browsers, Linux distributions and other software. Rezilion also provide recommended mitigations.

Rezillion, Rezilion Researchers Uncover New Details on Severity of Google Chrome Zero-Day Vulnerability (CVE-2023-4863), blog post, 21 September 2023. Available online at https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/.

Google, An image format for the Web, developer documentation page, 14 September 2023. Available online at https://developers.google.com/speed/webp.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Xenomorph Banking Trojan Morphs Again

Back in February last year, researchers at Amsterdam fraud risk firm ThreatFabric encountered a new Android banking trojan which they dubbed Xenomorph, due to its code being partially based on the earlier Alien trojan. At that time, many planned features of Xenomorph had not yet been implemented, suggesting that the malware was still in the early stages of development. However, it was still adequately functional, targeting the customers of 56 different European banks by using Accessibility Services privileges to pup up overlay templates in front of the bank app's genuine login screen, thereby capturing customer credentials. It also intercepted SMS messages and Notifications, allowing it to compromise two-factor authentication.

For this campaign, the trojan was distributed via malicious (trojan-horse) apps on the Google Play Store, but that technique has been less effective as Google has improved its detection of malware in the Play Store. Now, ThreatFabric has uncovered a new Xenomorph campaign, this time using phishing webpages to trick users into side-loading malicious .apk files, thus bypassing Google's filtering.

This new version of the banking trojan has a larger list of targets, including institutions in the US and Portugal, and is also able to target multiple crypto wallets. The ability to add new targets is based on the malware's template system; the C2 server updates a list of URL's from which the malware can fetch new overlays which can capture usernames, passwords, credit card numbers and other data. The overlays are encrypted using a combination of AES and a proprietary algorithm.

Xenomorph now also sports a wide range of modules which can manipulate the victim device when specific conditions are met, performing actions like getting admin access, setting itself as the default SMS handler and disabling Play Protect. The new variant adds some new capabilities, such as disabling the screen sleep mode, simulating a touch on a point on the screen, and launching an Activity from a legitimate service.

Investigation of the Xenomorph C2 infrastructure indicates that the same group is also targeting desktop computers with a number of other stealers.

ThreatFabric's report provides a detailed analysis, along with IOC's such as sample digests, C2 server names and a list of its targets.

ThreatFabric Research, Xenomorph Malware Strikes Again: Over 30+ US Banks Now Targeted, blog post, 25 September 2023. Available online at https://www.threatfabric.com/blogs/xenomorph.

Report Provides Details of PRC Threat Actors

A new report produced by the NSA, FBI, CISA, Japan's National Police Agency and National Center of Incident Readiness and Strategy for Cybersecurity details activities by cyber actors linked to the People's Republic of China. The advisory provides the tactics, techniques and procedures of this activity, which has been termed 'BlackTech' (a.k.a. Palmerworm, Circuit Panda and Radio Panda).

BlackTech has demonstrated capabilities such as modifying router firmware without detection and exploiting the router's domain trust relationships to pivot from international subsidiaries to headquarters in Japan and the US, which are the primary targets. The group uses custom malware, dual-use tools and living-off-the-land tactics to target government, industrial, tech, media, electronics and telecomms sectors. The report's authors recommend that multinational corporations review all subsidiary connections, verify access and consider moving to zero trust architectures to limit the extent of a possible BlacTech compromise.

NSA, FBI, et. al., People's Republic of China-Linked Cyber Actors Hide in Router Firmware, cybersecurity advisory, 27 September 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.