Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Infostealer Masquerades as MacOS App

The XLoader malware-as-a-service infostealer has existed in various forms since around 2015, targeting primarily Windows systems. Although a MacOS variant appeared in 2021, it was written as a Java program - and since most Macs no longer supported the Java Runtime Environment (JRE) as standard, its impact was highly limited.

But now a new variant has emerged, say SentinelOne researchers, this time written in the C and Objective C programming languages, compiled down to a native binary, and masquerading as an office productivity application called 'OfficeNote'. This app bundled inside a standard Apple disk image file under the name OfficeNote.dmg, signed on 17 July 2023 with the developer signature MAIT JAKHU (54YDV8NU9C).

Apple has subsequently revoked this developer key, but tests by the SentinelOne researchers indicate that the Apple malware blocker, XProtect, does not have a signature to protect against this malware, as of 21 August, and uploads to VirusTotal indicates that it spread quite widely during July. Its developers are offering this Mac version of XLoader for rent at rates of $US199/month or $US399/3 months - high in comparison with the Windows variants.

If invoked by a victim, the promised 'OfficeNote' fails to run, but in the background the malware drops and runs its payload, creating a hidden directory containing the malware as well as a LaunchAgent so that it will persist. Once running, it attempts to steal secrets from the user's clipboard as well as the Chrome and Firefox browsers, but does not target Safari. It also contacts its C2 server, hiding the server's IP address among hundreds of dummy network requests. It also uses a variety of other detection evasion techniques, such as sleeping for some time before executing malicious behaviour, and using stripped binaries to make static analysis harder.

The SentinelOne blog post contains a detailed analysis and IOC's.

Devadoss, Dinesh and Phil Stokes, XLoader’s Latest Trick | New macOS Variant Disguised as Signed OfficeNote App, blog post, 21 August 2023. Available online at https://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/.

RCE Vulnerability Affects Ivanti Sentry

Researchers at Norwegian security firm mnemonic have discovered a zero-day vulnerability in Ivanti Sentry (formerly MobileIron Sentry), a secure gateway for mobile devices accessing corporate networks. The vulnerability, CVE-2023-38035, allows an unauthenticated threat actor to both read and write files to the Sentry server, and execute OS commands with root privileges via sudo.

The vulnerability is in some API endpoints in the Sentry server's System Manager Portal (commonly known as MICS [MobileIron Configuration Service]), which normally runs on port 8443. If this is not exposed to the Internet, a threat actor will have to have internal access. However, this can be acquired by compromising the Ivanti Endpoint Manager Mobile (EPMM), as this communicates with the Sentry server using port 8443 - and the EPMM server may be exploited via CVE-2023-35078 and CVE-2023-35081 - an authentication bypass and directory traversal vulnerabilities which have previously been exploited in the wild.

Ivanti has issued RPM packages which update currently supported versions of Ivanti Sentry.

Not entirely coincidentally, the US Cybersecurity & Infrastructure Security Agency has added this vulnerability as one of two new entries in its Known Exploited Vulnerabilities Catalog - the other is CVE-2023-27532, a missing authentication for critical function vulnerability in Veeam Backup & Replication Cloud Connect.

mnemonic, Threat Advisory: Remote Code Execution (RCE) vulnerability in Ivanti Sentry (CVE-2023-38035), blog post, 21 August 2023. Available online at https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/.

Ivanti, CVE-2023-38035 - Vulnerability affecting Ivanti Sentry, blog post, 21 August 2023. Available online at https://www.ivanti.com/blog/cve-2023-38035-vulnerability-affecting-ivanti-sentry.

Ivanti, CVE-2023-38035 – API Authentication Bypass on Sentry Administrator Interface, forum post, 21 August 2023. Available online at https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US.

CISA, CISA Adds Two Known Exploited Vulnerabilities to Catalog, cybersecurity advisory, 22 August 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/08/22/cisa-adds-two-known-exploited-vulnerabilities-catalog.

Telemarketer Breached; Charity Donor Details Published on Dark Web

An April attack on a Brisbane telemarketing firm, Pareto Phone, has culminated with the dark web publication of the personal information of thousands of donors to charities which used the firm. The breach has been notified to the National Cyber Security Coordinator, but it is not clear whether the Office of the Australian Information Commissioner has been notified - and if so, within the required notification period of 30 days.

The firm has been used by a number of charities, including the Cancer Council and Canteen, which supports young people with cancer, and who reported that 2,600 current and former donors hade been contacted. It said information including full names, date of birth, addresses, email addresses and phone numbers had been released, but not financial information.

The Fred Hollows Foundation said that 1,700 of its donors had been affected, and further indicated that data had been held by the telemarketer long beyond its usefulness: "We worked with Pareto Phone only during 2013 and 2014. We were not aware our data was still held by them". This suggests a significant breach of the Australian Privacy Principles, which are an annex to the Privacy Act.

Burt, Jemima, Thousands of donors to Australian charities, including Cancer Council and Canteen, have data leaked to dark web, The Guardian, 23 August 2023. Available online at https://www.abc.net.au/news/2023-08-23/qld-charity-donors-dark-web-cyber-criminals-pareto-phone/102757194.

CISA, NSA, NIST Push Post-Quantum Cryptography

Once again, we are beating the drum about cryptographic agility and the need to prepare for the possibility that well-resourced - probably (but not necessarily) affiliated with nation states - threat actors develop the capability of breaking our public-key algorithms using quantum computers.

To this end, CISA, the NSA and NIST have jointly released an factsheet to alert organizations - particularly in critical infrastructure - of the possibilities and to start planning for the migration to post-quantum cryptography (PQC) standards. NIST will release a set of PQC standards in 2024, although we already know what many of the algorithms are likely to be.

The factsheet recommends preparing a post-quantum roadmap, starting with preparing a cryptographic inventory in order to identify technology which may be vulnerable to a quantum computing attack, then engaging with suppliers to ascertain their roadmaps. We need to start now, to ensure that the cybersecurity supply chain encompasses PQC.

CISA, Quantum-Readiness: Migration to Post-Quantum Cryptography, factsheet, 21 August 2023. Available online at https://www.cisa.gov/resources-tools/resources/quantum-readiness-migration-post-quantum-cryptography.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.