Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

LastPass Hit Again

On their web site, LastPass is notifying customers of another security incident which appears to be a follow-up to the previous incident, in August. Back then, an unidentified threat actor was able to gain access to LastPass' development environment, obtaining some source code and technical information. The incident was contained, and no customer data - especially customer password vaults - were accessed.

However, it seems the attackers got something useful. In the latest incident, the firm detected unusual activity within a third-party cloud storage service which is shared by LastPass and its sister company GoTo (GoToMeeting, GoToConnect). Having once again retained the services of Mandiant, the company has determined that an unauthorized party - likely the same threat actor - used information obtained in the earlier breach to gain access to some customer information, although customer passwords will, of course, be encrypted.

It sounds as though cloud access credentials were embeded somewhere in the stolen source - a perennial, and intractable, problem when you need code to access external services. And you can bet that if customer password vaults were stolen, the attackers will be inspecting LastPass' code, looking for implementation flaws in the encryption.

Toubba, Karim, Notice of Recent Security Incident, blog post, 30 November 2022. Available online at https://blog.lastpass.com/2022/11/notice-of-recent-security-incident/.

MD5 Considered Harmful

The Commission Nationale de l'Informatique et des Libertés (the data protection regulator in France) has handed down a decision which should give software developers everywhere pause to consider their code. The regulator fined energy company Électricité de France (EDF) €600,000 over customer privacy issues. Part of the judgement dealt with routine privacy matters such as sending commercial emails, data collection for undefined purposes and unreliable handling of data access and deletion requests.

But the final part dealt specifically with insecure handling of passwords. Generally-accepted good practice says that passwords should be salted and then hashed using a suitably strong digest algorithm - and EDF claimed that it was doing this. However, in reality it was still storing the passwords of over 25,000 customers as unsalted MD5 hashes.

MD5, which produces a 128-bit digest, is deprecated by virtually all regulators and standards authorities (as is SHA-1, which produces a 160-bit digest). But it was the lack of salt that really troubled the French regulator, especially since, while they had now adopted SHA2-512 for later passwords, they still had 2.4 million SHA2-512 unsalted digests. Although EDF had cleaned up their act and were now both salting and hashing correctly, they were still fined.

My advice (and it's what I've taught in university courses): at the very least, make use of language facilities for password salting and hashing, such as PHP's password_hash() and password_verify() functions, which randomly salt a password and hash it with the bcrypt (or optionally, argon2) hash function. Better still, use PBKDF2 (Password-Based Key Derivation Function 2) which will apply a user-specified number of iterations of the chosen hash function, and also incorporates salt. By choosing a large number of iterations, we increase the work factor for both users and attackers - but since users normally only enter their password once, they will barely notice the delay, while attackers trying brute force and dictionary attacks will really be slowed down.

Ducklin, Paul, Serious Security: MD5 considered harmful - to the tune of $600,000, blog post, 30 November 2022. Available online at https://nakedsecurity.sophos.com/2022/11/30/serious-security-md5-considered-harmful-to-the-tune-of-600000/.

New Backdoor Exploits Old Redis Vulnerability

Researchers at cloud security firm Aqua Security have observed a new piece of malware which attempted to exploit one of their honeypots using CVE-2022-0543, a vulnerability in the Redis in-memory database. Redis is widely deployed on web servers, particularly for page caching, although it has many other applications where a high-performance non-relational database is required. CVE-2022-0543 is a vulnerability in the Debian (and Ubuntu) library for the Lua scripting language engine which is a core component of Redis.

By connecting to a vulnerable Redis server, the attacker is able to execute Redis commands which effectively clone a Redis server that contains a shared library, exp_lin.so, which contains the exploit. Once this is loaded, the attacker is able to escape the Lua scripting engine sandbox and execute arbitrary commands - one of which downloads the new malware, named Redigo.

The malware, which as the name suggests is written in the Go programming language, mimics the Redis communications protocol to connect to its C2 server, after which the victim turns into a Redis client with the attacker becoming the server. The commands sent to the infected machine indicate that the goal is to exploit the Redis server itself, rather than the underlying host.

Aqua's report provides a full analysis with IOC's - useful since, being a new malware sample, VirusTotal did not identify Redigo. A bigger question, however, is why new malware is appearing for a vulnerability that was patched back in February - clearly, attackers are still finding victims, which indicates poor vulnerability management processes.

Yaakov, Nitzan and Ofek Itach, Aqua Nautilus Discovers Redigo - New Redis Backdoor Malware, threat alert, 1 December 2022. Available online at https://blog.aquasec.com/redigo-redis-backdoor-malware.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.