Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Kimsuky is Back With New Phishing Campaign

North Korean cyber-espionage APT Kimsuky is running a campaign targeting organizations that show an interest in the DPRK, including human rights activists, defector support organizations and information services, according to researchers at SentinelOne. Kimsuky has been active since at least 2012, engaging in spearphishing and social engineering campaigns to collect intelligence and access sensitive information in order to further the interests of the North Korean government,

In the new campaign, Kimsuky has shifted to using a variant of the RandomQuery malware; although RandomQuery has a range of capabilities including keylogging and dropping additional malware, this variant is used only to perform file enumeration and information exfiltration.

The malware is distributed using Microsoft Compiled HTML Help (CHM) files, which has long been Kimsuky's favourite technique. The group is also using a wider range of TLD's for their C2 infrastructure, including .space, .asia, .click and .online, although they also continue to use legitimate-looking names in the .com domain.

The Sentinel Labs report provides a full analysis of this RandomQuery variant, along with IOC's and a list of malicious domains.

Milenkoski, Aleksandar and Tom Hegel, Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit, technical report, 23 May 2023. Available online at https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/.

CISA Updates Ransomware Guidance

The US Cybersecurity & Infrastructure Security Agency, FBI, NSA and Multi-State Information Sharing and Analysis Center (MS-ISAC) have updated their #StopRansomware Guide in light of the accelerated tactics and techniques employed by ransomware groups since the initial release of the Guide in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions, resources, and tools to maximize its relevancy and effectiveness and to further help reduce the prevalence and impacts of ransomware.

The new Guide was developed through the Joint Ransomware Task Force, which was established by the US Congress in 2022 and is co-chaired by CISA and the FBI.

The Guide is available at https://www.cisa.gov/resources-tools/resources/stopransomware-guide.

Cybersecurity & Infrastructure Security Agency, CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force (JRTF), alert, 23 May 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-and-partners-update-stopransomware-guide-developed-through-joint-ransomware-task-force-jrtf.

Windows Adds Support for .rar, .tar, .gz. (Groan)

Buried among a list of innovations being added to Windows - such as Window Copilot (an AI assistant) and a raft of other AI-powered extensions - is the announcement that the Redmondites are adding native support for additional archive formats, including tar, 7-zip, rar, gz and many others using the libarchive open-source project.

Oh, great. Windows' graphical shell already supports automatic opening and extraction of .zip and .iso formats, and while this is convenient, it has also been seized upon as a way for malware operators to get their product installed onto the systems of unsuspecting victims. Windows normally tags email attachments with the Mark of the Web, to mark them as unsafe and discourage victims from unsafe practices like enabling macros in these files.

However, Windows does not similarly tag the files inside these archive formats, allowing them to sneak past this defensive line. Now the bad guys will have a whole new set of archive filetypes, many of which will be unfamiliar to the unsuspecting victims.

Sigh. As for the privacy and security dangers of AI in the OS - well, that ship has sailed and pointing out the problems is like peeing into the wind.

Panay, Panos, Bringing the power of AI to Windows 11 – unlocking a new era of productivity for customers and developers with Windows Copilot and Dev Home, blog post, 23 May 2023. Available online at https://blogs.windows.com/windowsdeveloper/2023/05/23/bringing-the-power-of-ai-to-windows-11-unlocking-a-new-era-of-productivity-for-customers-and-developers-with-windows-copilot-and-dev-home/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.