Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Microsoft Adds Passkey Support to Windows 11

Microsoft has, for many years, been engaged in the Sisyphean task of securing an increasingly complex software stack. These two forces are in continual opposition; as the old saw has it, the enemy of security is complexity. But to give them their credit, the Redmondites keep plugging away at it, and things are, gradually, getting better.

The architecture that was reborn with Windows Vista has allowed the firm to take advantage of a range of hardware and software innovations, such as the use of the Trusted Platform Module (TPM) to provide a root of trust for a secure boot process, core isolation features like Hypervisor-protected Code Integrity and enabling the use of shadow stacks - part of Intel's Control-flow Enforcement Technology - for code running in kernel mode, thereby mitigating buffer overflows. While this has caused pain for device driver and application developers who use non-standard techniques - and their users - it has paid off.

The firm has now announced support for passkeys - an implementation of the FIDO2 passwordless authentication system - in Windows 11. Users will be able to create, use and protect passkeys using Windows Hello or Windows Hell for Business, or using their phone, authenticating using their face, fingerprint or device PIN. The Windows 11 implementation will work with multiple browsers including Edge (obviously), Google Chrome, Firefox and others. All we need now is for the mass of web sites to add support for passkeys.

Users with FIDO2 security keys or Windows Hello for Business will now be able to eliminate passwords altogether; in fact Azure Active Directory (now renamed Entra ID) administrators can configure policy so that users will no longer even see the option for password entry at logon. Another new feature is 'Config Refresh', which mitigates attempts to tamper with the registry by resetting it periodically (every 90 minutes by default, but every 30 minutes if desired). There are also new configuration options for the Windows Firewall.

This all represents another step towards a password-less world - something that will come as a relief to security professionals everywhere, as it will dramatically reduce phishing attacks.

In other Microsoft security news, the company's Security Resource Center blog has a nice profile of Australian-born security researcher Rocco Calvi, who has been continually at or near the top of the MSRC Most Valuable Researcher leaderboard in recent years.

MSRC, Journey Down Under: How Rocco Became Australia’s Premier Hacker, blog post, 25 September 2023. Available online at https://msrc.microsoft.com/blog/2023/09/journey-down-under-how-rocco-became-australias-premier-hacker/.

Weston, David, New security features in Windows 11 protect users and empower IT, blog post, 26 September 2023. Available online at https://www.microsoft.com/en-us/security/blog/2023/09/26/new-security-features-in-windows-11-protect-users-and-empower-it/.

RaaS Groups Share Infrastructure, Tools

The Ransomware-as-a-Service ecosystem is a highly dynamic one, with groups splintering, members forming new groups, re-using, adapting and evolving TTP's on a continual basis. It seems that the groups may also share infrastructure, or at least, pass it on to new users. A new report from Group-IB Threat Intelligence and its associates describes a new group, called ShadowSyndicate, that has taken this to new levels.

The key which allowed the Group-IB research team to identify the ShadowSyndicate infrastructure was the presence of the same SSH key fingerprint on many servers - 85 at the time of writing. The group has been working with various ransomware groups and their affiliates since July 2022, using a set of 'off-the-shelf' tools including Cobalt Strike (52 of those servers were used for Cobalt Strike C2), IcedID and Silver malware.

The researchers also linked ShadowSyndicate to a Quantum ransomware campaign in September 2022, Nokoyama ransomware campaigns in October and November 2022, and ALPHV activity in February 2023. It is possible ShadowSyndicate has also been associated with Royal, Cl0p, Cactus and Play ransomware campaigns, with connections between ShadowSyndicate's infrastructure and Cl0p/Truebot, which is one of the most successful ransomware operators.

The ShadowSyndicate infrastructure is widely dispersed - most of it is in Panama, Cyprus or the Russian Federation, but there are servers in locations such as the Seychelles, the Netherlands and Honduras.

The Group-IB blog post provides a full analysis as well as IOC's such as IP addresses, and domain names.

Switzer, Eline and Joshua Penny, Dusting for fingerprints: ShadowSyndicate, a new RaaS player?, blog post, 26 September 2023. Available online at https://www.group-ib.com/blog/shadowsyndicate-raas/.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.