Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Forwarded Emails Breached Patient Confidentiality

The personal details of 192 patients at the Royal Women's Hospital in Melbourne have been compromised in a data spill.

In this case, the hospital's systems, such as the Electronic Medical Record system (which is shared with three other institutions), its email system and other IT systems, have not been compromised. Rather, the spill occurred when a staff member forwarded work emails to their personal email account, "to review and coordinate their patient appointments and care approaches". It was the personal email account that was compromised, and no medical records have been compromised.

The affected patients are being contacted; at this stage no data seems to have been posted on the dark web but this is certainly a future possibility.

There are many obvious problems with the use of email to share work records, especially when medical professionals often work in both hospitals and their own professional rooms, not to mention hybrid work patterns. A better approach would be to support remote access to the required applications for data management, either via VPN or perhaps a zero trust architecture approach; this would also ensure that all data access is subject to the appropriate application-based access controls.

But in this case, it seems that work email was being used anyway - which leads to the next question: why did the staff member forward the email to a personal account? Could the work email system not be accessed externally? If that is the case, why - is that a deliberate architecture/policy choice? If so, it's an outstanding demonstration of the old saw that users will always find a work-around for over-restrictive security controls.

9 News staff, Almost 200 patients at major Melbourne hospital caught up in data leak, 9 News, 5 October 2023. Available online at https://www.9news.com.au/national/data-breach-royal-womens-hospital-melbourne-victoria-health-news/74175702-20e2-4ca7-818c-6695aa6edaa9.

Malicious npm Packages Deliver r77 Rootkit

Yet another in the apparently never-ending stream of supply chain attacks - this time via npm, the package manager for the JavaScript server runtime, node,js.

Discovered by ReversingLabs researchers, this particular campaign relies on an easily-overlooked confusion over package names: a developer looking for the package node-hide-console-window (which controls visibility of an application's console window) instead stumbles across node-hide-console-windows. Just one little 's' makes all the difference - although the developers of the malicious package were careful to make the npm page for their trojaned version look very similar to the genuine package's, right down to the version history.

In essence, this is similar to the typosquatting attack more commonly used by phishing campaign operators.

The ReversingLabs researchers discovered the malicious package during a routine scan of the npm public repository and immediately noticed that it was owned by a new account not connected to any other npm projects. Examination of the index.js file revealed that it would download and run an executable, which turned out to be DiscordRAT 2.0, an open-source remote access trojan; this particular variant was created only 10 days before the publication of the malicious node-hide-console-windows package.

The RAT would create a channel to an associated Discord server and fetch an initial payload, then wait for additional commands. In addition to all the usual commands expected in a RAT, it also boasts a !rootkit command, which allows the operator to launch the r77 rootkit on the victim. r77 is a fileless ring 3 rootkit which can disguise files and processes in order to evade their detection; in this case when it is launched it create two registry subkeys to hide the RAT's executable and its process.

The latest two versions of the malicious node-hide-console-windows package have additional functionality to also download a compiled version of the the Blank-Grabber Python infostealer.

The ReversingLabs blog post gives a detailed analysis along with IOC's for the malicious packages and second stage payloads.

Valentić, Lucij, Typosquatting campaign delivers r77 rootkit via npm, blog post, 4 October 2022. Available online at https://www.reversinglabs.com/blog/r77-rootkit-typosquatting-npm-threat-research.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
  

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.