Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Microsoft Uncovers Sophisticated MitM Phishing and BEC Campaign

Researchers at Microsoft Threat Intelligence have been tracking a sophisticated multi-stage Man-in-the-Middle phishing and Business Email Compromise campaign targeting banking and financial services organizations.

In a Man-in-the-Middle attack, the adversaries position themselves between two entities in order to capture traffic, possibly modifying it or replaying it for impersonation purposes. There are many variations on this them; this particular type, which MITRE refers to as Adversary-in-The-Middle, focuses on intercepting multi-factor authentication (MFA) traffic in order to capture a session cookie. By replaying the session with the captured cookie before it expires, the attackers can impersonate the victim without further MFA challenge.

In this case, the attackers used an indirect proxy, hosted on a cloud service, which behaved like a traditional phishing site by mimicking the targeted site's login page, giving the attackers more control over the page content.

Attacker-in-The-Middle using an indirect proxy (image credit: Microsoft)

Having taken over the victim's email account, the attackers ran a phishing campaign, targeting the victim's contacts with a link to page, hosted on SaaS graphic design service Canva, showing a fake Microsoft OneDrive document. Clicking on this leads to a spoofed Microsoft sign-in page, repeating the attack. All the time, the attackers would monitor the victim's inbound emails and reply to any emails which questioned the phishing email's authenticity, deleting these emails and their replies to hide their activity.

This scheme is eerily similar to the BEC attack on Terra Global Capital LLC that we reported yesterday, although it seems unlikely to be the same threat actor, which Microsoft has labeled Storm-1167. The Microsoft blog provides mitigation recommendations and detections as well as threat hunting queries for Microsoft Sentinel.

Microsoft Threat Intelligence, Detecting and mitigating a multi-stage AiTM phishing and BEC campaign, blog post, 8 June 2023. Available online at https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/.

Just When You Thought It Was Safe . . .

. . . to resume using the MOVEit Transfer and MOVEit Cloud file transfer products, it's time to patch again. It's a truism to say that for every bug you find, two more are lurking undetected. And if the programmers who wrote your code allowed one SQL injection vulnerability to get in there, perhaps they didn't understand the issue well enough to prevent others creeping in as well.

So it goes at Progress Software where, after fixing an SQL injection vulnerability in their products, their developers have obviously been going over the rest of the code with a fine-toothed comb. The result is another vulnerability - CVE-2023-35036 - and another patch, which can be applied either as a DLL drop-in or via a full installer.

Thankfully, unlike the previous vulnerability, this time there does not seem to be 0day exploitation in the wild - but with the release of the patch, it is likely some threat actors will reverse engineer it and develop exploits, so the patch should be considered mandatory.

Progress Software, MOVEit Transfer Critical Vulnerability – CVE-2023-35036 (June 9, 2023), web page, 12 June 2023. Available online at https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-Pending-Reserve-Status-June-9-2023.

AI Used for Facial Comparison, Not Recognition - Privacy Implications?

An article on the ABC News (Australia) web site throws up a challenge for those of us who use CCTV but must also comply with privacy legislation. Major Australian retailers such as supermarket chain Woolworths and hardware chain Bunnings are now using an AI-based loss prevention product called Auror. Bunnings (along with Kmart) are already under investigation by the Office of the Australian Information Commissioner (OAIC) for their use of AI facial recognition software to recognise prospective shoplifters in their stores.

Auror insists its software does not perform recognition - instead it can cross-reference an image across multiple crime reports to if the same person is responsible for those (alleged) offences. This is different from the controversial Clearview AI, which compares images against photographs scraped from social media and elsewhere.

Nonetheless, this kind of usage is likely to trigger interest from the OAIC - especially since both the ACT and NSW police forces are using Auror.

Vyer, James, Australian retail giants and police using artificial intelligence software Auror to catch repeat shoplifters, ABC News, 10 June 2023. Available online at https://www.abc.net.au/news/2023-06-10/retail-stores-using-ai-auror-to-catch-shoplifters/102452744.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.