Blog entry by Les Bell

Les Bell
Security News: 2023-07-18
by Les Bell - Tuesday, July 18, 2023, 9:43 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Free Cloud Security Tools

The US Cybersecurity & Infrastructure Security Agency has released a fact sheet to help businesses identify the right tools and techniques to protect information assets as they migrate them into the cloud. The Free Tools for Cloud Environments factsheet list open-source tools, methods and guidance to network defenders and incident response teams to help  identify, mitigate and detect vulnerabilities, anomalies and the threats that might exploit them.

The tools include:

  • The Cybersecurity Evaluation Tool (CSET) (CISA)
  • SCuBAGear (CISA)
  • The Untitled Goose Tool (CISA)
  • Decider (CISA)
  • Memory Forensic on Cloud (JPCERT/CC)

While many are written in Windows PowerShell, some are in Python and will operate in wider cloud environments. One of the most impressive is Decider, which asks a series of questions to help network defenders identify adversary tactics, techniques and sub-techniques, mapping them to the MITRE ATT&CK framework, and allowing the export of results to tables such as ATT&CK Navigator heatmaps, which can then be used in threat intelligence reports.

CISA, Free Tools for Cloud Environments, factsheet, 17 July 2023. Available online at https://www.cisa.gov/resources-tools/resources/free-tools-cloud-environments.

Security Analyst Jailed For Over Three Years

Back in May we reported on the case of a security analyst who tried to exploit a ransomware attack on his Oxford (UK) employer by substituting his own Bitcoin wallet addresses for those in the attackers' ransom demands, and additionally spoofing emails to increase the pressure to pay up. Unfortunately, his man-in-the-middle exploit was foiled when his employer decided not to pay up - and even worse, his email interference showed up in system logs, leading to his arrest. At his appearance in court he sensibly decided to plead guilty.

On return to Reading Crown Court last week, Ashley Liles, aged 28, was sentenced for blackmail and unauthorised access to a computer with intent to commit other offences, and was jailed for three years and seven months. 

"This has been a complex and challenging investigation and I am extremely grateful for all the officers and staff that were involved for their commitment and dedication over a five year period", said Detective Inspector Rob Bryant, of the SEROCU Cyber Crime Unit "This case demonstrates that the police have the ability and technical skills to investigate cybercrime offences and bring cyber-criminals to justice."

And the moral of the story is: use your powers for good, not evil, lest your mug shot appear in a police force press release. This is a classic example of a CLM (Career Limiting Move).

South East Regional Organised Crime Unit, Man jailed for more than three years for attempting to extort money from the company he worked for, press release, 11 July 2023. Available online at https://serocu.police.uk/man-jailed-for-more-than-three-years-for-attempting-to-extort-money-from-the-company-he-worked-for/.

Cloud Service Provider Breached By Nation State-Sponsored Threat Actor

Cloud management service provider JumpCloud has disclosed a breach affecting some of their internal systems and inpacting a number of their customers. The firm has provided details of activity by "a sophisticated nation-state sponsored threat actor" wihch pivoted from the firm's systems to target "a small and specific set of our customers".

The attack started on 22 June with a sophisticated spear phishing campaign which gained the threat actor access to an internal orchestration system; in late June JumpCloud detected the activity and took action, activating their incident response plan, rotating credentials and rebuilding infrastructure. Subsequent forensic analysis revealed unusual activity in the commands framework for a small set of customers, and on 5 July the firm force-rotated all API keys.

Further work revealed that the attack vector was data injection into the command framework, and confirmed suspicions that attack was extremely targeted and limited to specific customers. The company has shared a list of IOC's, including IP addresses and file hashes.

Phan, Bob, [Security Update] Incident Details, blog post, 12 July 2023. Available online at https://jumpcloud.com/blog/security-update-incident-details.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink