Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

AI-Generated Content Farms Proliferate

The field of information warfare - what the US Cybersecurity & Infrastructure Security Agency terms 'mis- , dis- and malinformation' - is not one of most readers' primary concerns, but it is something we need to be aware of. Similarly, we need to keep abreast of the rapid developments in artificial intelligence and machine learning - especially large language models, which are able to provide complex answers in response to sophisticated conversational queries (e.g. ChatGPT and Google Bard).

These two fields have inevitably formed a nexus in the creation of so-called content farms - low-quality websites which provide a never-ending stream of clickbait articles primarily intended to generated advertising revenue. In a new report by news-rating group NewsGuard, the authors identified 49 websites which appear to be almost completely automated with little to no human oversight.

Many articles contain clues that they are AI-generated, such as error messages common to chatbots: "I cannot complete this prompt", references to "my cutoff date in September 2021" and "as an AI language model". But occasionally, the unmonitored output reaches new levels of stupidity:

An AI-generated headline that appeared on TNewsNetwork.com, an anonymously-run news site that was registered in February 2023. (Screenshot via NewsGuard)

The sites use highly generic names like Biz Breaking News, NewsLive 79, Daily Business Post and Market News Reports, and their articles are generally bland and full of filler phrases but substantially accurate. However, some do veer into outright misinformation; for example, in April 2023, a site called CelebritiesDeaths.com, which posts generic obituaries, posted an article under the headline "Biden dead. Harris acting President, address 9am ET.", continuing, "BREAKING: The White House has reported that Joe Biden has passed away peacefully in his sleep…". Other articles contain fabricated information - so-called "AI hallucinations".

The sites promote themselves via social media, and are increasing in readership, with the largest claiming over 150,000 followers. As they continue to grow, we can expect people to be less well informed about important issues in politics, finance, health and technology, and trust for media generally to continue to decline. We can also expect state actors to use these techniques in foreign influence operations, promoting deliberate disinformation hidden among surrounding AI-generated content.

Sadeghi, McKenzie and Lorenzo Arvanitis, Rise of the Newsbots: AI-Generated News Websites Proliferating Online, special report, 1 May 2023. Available online at https://www.newsguardtech.com/special-reports/newsbots-ai-generated-news-websites-proliferating/.

Is There Honour Among Thieves?

One of the most prolific ransomware-as-a-service operators over the last year is LockBit, which first appeared around January 2020, and whose affiliates have been responsible for a number of high-profile extortions such as last year's release of patient data from the Centre Hospitalier Sud Francilien hospital in Corbeil-Essonne near Paris - all this despite the arrest of one the group's ringleaders.

Back in February, one of the LockBit affiliates hacked the Olympia Community Unit School District 16 in Illinois, exfiltrating student information which it threatened to release on the LockBit dark web site unless a ransom demand was met. Sure enough, a countdown timer appeared on the site, warning the school district their information would be released on 12 April.

However, it seems that the LockBit affiliate involved has somehow transgressed against the group, with the site admin expressing remorse over the attack and offering a free decryption key:

This is unusual among ransomware operators, who have been responsible for the release of vast quantities of sensitive information, from the healthcare industry in particular. However, it seems there is some kind of honour among thieves, after all.

Cluely, Graham, "Ashamed" LockBit ransomware gang apologises to hacked school, offers free decryption tool, blog post, 28 April 2023. Available online at https://www.bitdefender.com/blog/hotforsecurity/ashamed-lockbit-ransomware-gang-apologises-to-hacked-school-offers-free-decryption-tool/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Mac Infostealer Advertised on Telegram

Researchers at Cyble Research and Intelligence Labs (CRIL) have discovered a Telegram channel advertising a new infostealer which is particularly aimed at Mac users. Despite all evidence to the contrary - and yes, there is some merit to the argument that the Mac's UNIX-derived security architecture is simpler and more mature than that of Windows - there is still a large range of MacOS malware out there, including MacStealer, RustBucket, DazzleSpy and others.

The new stealer, which its authors christened Atomic MacOS Stealer (AMOS), is continually being improved and extended with new capabilities. AMOS can steal a variety of information from an infected machine, including keychain passwords, complete system information, files from the desktop and documents folder, and even the user's MacOS password. Even more worryingly, it targets multiple browsers and can extract auto-fill strings - including passwords - cookies and credit card information. It also attacks cryptowallets such as Atomic, Binance, Coinomi and Electrum.

Customers who sign up for the stealer - at the bargain price of $US1000/month - are provided with a web dashboard for managing their attacks, meta mask brute forcing for stealing seeds and private keys, a crypto checker and DMG (disk image file) installer, which can be used to trick victims into installing the malware.

Uncredited, Threat Actor Selling New Atomic macOS (AMOS) Stealer on Telegram, blog post, 26 April 2023. Available online at https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/.

WithSecure Detects Veeam Backup Vulnerability Exploitation in the Wild

Researchers at WithSecure - formerly the Finnish security firm F-Secure for Business - have identified attacks against Internet-accessible servers which run Veeam Backup and Replication software. The attacks possibly exploited a recently-patched vulnerability, CVE-2023-27532, which allows the theft of credentials from the Veeam configuration database.

The activity was initially observed on 28 March 2023, when an SQL server process, sqlservr.exe, related to the Veeam Backup instance, executed a shell command to perform a download and in-memory execution of a PowerShell script. The script turned out to be a loader called POWERTRASH, written in obfuscated PowerShell code, attributed to the long-standing FIN7 malware group. This loader then executed its payload through the reflective PE injection technique, with filenames that also adhered to FIN7's naming conventions.

(The FIN7 group has been around for many years, using a variety of techniques, such as mailing malware-infected USB keys with supporting documentation, to commit financially-motivated cybercrime. Although three of their members were arrested in 2018, this does not seem to have slowed their activities significantly.)

The threat actor then used a number of commands, such as netstat, tasklist and ipconfig, as well as custom scripts to enumerate system and network information. A number of SQL commands were also used to steal information from the Veeam backup database, including stored passwords. From there, a custom PowerShell script was used to gather further system information via the Windows Management Interface (WMI) API - again, a favourite tactic of FIN7.

Following this, persistence was achieved by creating a registry entry to execute DICELOADER on each system restart. This was followed by lateral movement, using remote WMI method invocations and net share commands, and an attempt to install another backdoor, probably a Cobalt Strike beacon.

The attack illustrates the dangers of leaving the Veeam port (TCP port 9401) publicly exposed, so the obvious mitigation is to close that at the firewall. And obviously, reactive patching will fix the vulnerability that was likely used by the attackers.

Singh, Neeraj and Mohammad Kazem Nejad, FIN7 tradecraft seen in attacks against Veeam backup servers, blog post, 26 April 2023. Available online at https://labs.withsecure.com/publications/fin7-target-veeam-servers.

Rapture Ransomware Analysis

Sticking with the theme of Powershell scripts being used in attacks: Trend Micro researchers provide an interesting analysis of a new ransomware variant they dub Rapture, primarily on account of its code similarities to the earlier Paradise ransomware.

This ransomware infection chain takes around three to five days, during which its operators inspect firewall policies, check the target PowerShell version and check for vulnerable Log4j applications. If all of this checks out, they then download and execute a PowerShell script to install Cobalt Strike onto the target system. From there, they will further penetrate the target network, using a unique method of privilege elevation to download and install an encrypted Cobalt Strike beacon payload from their C2 infrastructure. This then connects to the same C2 server in order to perform its ransomware activities.

The Trend Micro blog post provides full details, as well as a useful list of suggested mitigations.

Ladores, Don Ovid, Ian Kenefick and Earle Maui Earnshaw, Rapture, a Ransomware Family With Similarities to Paradise, blog post, 28 April 2023. Available online at https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Tricky Configuration Tasks Compromise Security

We've long known that asking users - or even developers - to manually establish cryptographic keys or otherwise configure security is a generally futile approach. We saw this, for example, with the popular osCommerce open-source merchant server package, which required the user who installed it to manually edit the .htaccess file for the software. When used by novices who were simply trying to turn a hobby into a side gig, this step was inevitably skipped, leading to thousands of vulnerable sites being exploited.

Now comes a similar tale of security misconfiguration, courtesy of the security researchers at Horizon3.ai. This time, the offending software is the Apache Superset open-source data visualization software. Superset is written in Python, using the Flask web framework, and like most web server applications, it uses cookies for user session management. Of course, these need to be protected to avoid various attacks, and Flask does this by signing the cookie with a SECRET_KEY value which should be randomly generated for the installation and stored in a local configuration file. With each user request, the browser returns the cookie to the server, which checks the signature to authenticate the user before processing the request.

I'm sure you can see where this is going. When first installed, Superset provides a default SECRET_KEY value of \x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h. The Superset configuration guide specifically advises the user to modify this, replacing it with a genuinely random value.

But how many really do this, wondered the Horizon3.ai researchers? Back in 2021,, using a Shodan search to locate Superset servers, they found out, by the simple test of requesting the Superset login page. Of the 1,288 Internet-accessible servers they located, 918 - that's just over 71% - used the default value for SECRET_KEY.

They notified the Superset developers, who changed the SECRET_KEY to a new default value and added additional warnings, but user behaviour has not improved much: a repeat of the original experiment in January 2022 found that while Superset adoption had increased - with 3176 servers accessible on the Internet, 2124 were still using a default value for SECRET_KEY.

That's got to be worrying for the users of those systems, since the flask-unsign tool will allow an attacker to easily forge an authentication cookie with administrator privileges - and from there, they can access the databases from which Superset queries the data, or execute code, or mine credentials.

The developers have now updated the code so that Superset will not start with a default SECRET_KEY value, although there are still some cases which this will not fix. And the Horizon3.ai researchers have provided additional guidance on remediation, in their blog post.

But there's a lesson here for all developers, especially of open-source projects: we need to make the generation of unique keys, tokens, certificates, etc. an automatic part of the installation process. Relying on users to manually edit files just isn't going to fly.

Sunkavally, Naveen, CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution, blog post, 25 April 2023. Available online at https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

XSS Vulnerability in Cisco Prime Collaboration Deployment

Cisco has disclosed a cross-site scripting (XSS) vulnerability in the user interface of its Prime Collaboration Deployment server management platform, version 14 and earlier. The vulnerability, which arises from a lack of proper sanitization of user input, could allow an attacker to execute malicious JavaScript code in the browser of an authenticated user of the platform, possibly leading to theft of credentials, malware infection or other exploits.

Worse still, the vulnerability is available to unauthenticated remote attackers. There is, as yet, no workaround for this vulnerability, although Cisco obvious plans to release a software update.

Cisco Security, Cisco Prime Collaboration Deployment Cross-Site Scripting Vulnerability, security advisory, 26 April 2023. Available online at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pcd-xss-jDXpjm7.

PingPull Malware Now Targets Linux

PingPull is a remote access trojan for Windows, generally operated by a Chinese APT calleded Alloy Taurus, a.k.a. GALLIUM. The RAT allows its operators to execute commands and access a shell on the victim systems, which are generally telcos or military/government organizations in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Russia and Vietnam. However, following publication of a report on their operations by Palo Alto's Unit 42, the group abandoned their infrastructure and went to ground.

Now, Unit 42 researchers have identified a new variant of PingPull, this time targeting Linux systems, indicating that Alloy Taurus is back in business, with new infrastructure. The new variant seems to share some functionality, and perhaps some code, with the earlier China Chopper RAT. Alloy Taurus has also been operating another backdoor, called Sword2033, on the same infrastructure.

It also seems that Allow Taurus has now expanded its cyber-espionage interests to financial institutions, and it has also been observed operating in South Africa and Nepal.

Unit 42, Chinese Alloy Taurus Updates PingPull Malware, report, 26 April 2023. Available online at https://unit42.paloaltonetworks.com/alloy-taurus/#post-127879-_wven14kmgum2.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Yet Another Amplification Attack

Network security professionals know that a number of UDP-based application-layer protocols can be used for amplification attacks. In these attacks, the threat actor sends UDP datagrams to a vulnerable service, but spoofs the source IP address to be the victim's IP address rather than her own. In response to a single UDP datagram request, the vulnerable service will reply with many datagrams in reply - hence the term, amplification attack.

A number of protocols provide quite high amplification factors: for example, the QOTD (Quote of the Day) service will respond with an average of over 140 datagrams for one query, while the CharGEN service has an amplification factor of over 358 to 1. The saving grace is that these protocols are rarely used, hence pose little threat. A bit more troublesome is the network time protocol (NTP), which has an amplification factor of almost 557.

Now, researchers from Bitsight and Curesec have reported a high-severity vulnerability - CVE-2023-29552 - in the Service Location Protocol (SLP, RFC 2608), which could provide attackers with amplification factors as high as 2,200. This seems to be a new record, and could lead to massive distributed denial of service (DDoS) attacks.

Despite its age, SLP is still in use; the researchers identified over 54,000 SLP instances in over 2,000 organizations globally. Products that incorporate SLP include VMware ESXi Hypervisor, Konica Minolta printers, Planex routers, IBM Integrated Management Module (IMM), SMC IPMI and many others. Many of these systems are accessible on the Internet, and are likely to be older, unmanaged or even abandoned systems, as in well-managed networks, firewalls would not pass SLP datagrams, which use port 427.

CISA, Abuse of the Service Location Protocol May Lead to DoS Attacks, alert, 25 April 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/04/25/abuse-service-location-protocol-may-lead-dos-attacks.

Stone, Noah, New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP), blog post, 25 April 2023. Available online at https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-29552-discovered-service-location-protocol-slp.

Critical Vulnerabilities In Print Management Software, Exploited in the Wild

Two vulnerabilities in enterprise print management software PaperCut MF and PaperCut NG are being exploited in the wild. The vulnerabilities, reported to PaperCut by Trend Micro, are:

• CVE-2023-27350 - CVSS v3.x: 9.8 (Critical) - Unauthenticated remote code execution in SYSTEM context
• CVE-2023-27351 - CVSS 3.x: 8.2 (High) - Authentication bypass

The vulnerabilities have been fixed in PaperCut MF and NG versions 20.1.7, 21.2.11 and 22.0.9 and higher, but many organizations are yet to deploy the patches. A Shodan search showed that close to 1,700 instances of the software were exposed to the Internet.

Security firm Huntress has observed post-exploitation deployment of backdoors on compromised instances, followed by installation of Truebot malware or cryptomining software. Apart from this, exploitation of CVE-2023-27350 would allow exfiltration of sensitive data such as user names, email addresses and more from unpatched servers.

Goodin, Dan, Exploit released for 9.8-severity PaperCut flaw already under attack, Ars Technica, 25 April 2023. Available online at https://arstechnica.com/information-technology/2023/04/exploit-released-for-9-8-severity-papercut-flaw-already-under-attack/.

Uncredited, URGENT | PaperCut MF/NG vulnerability bulletin (March 2023), knowledgebase article, 25 April 2023. Available online at https://www.papercut.com/kb/Main/PO-1216-and-PO-1219.

North Korean APT Targets MacOS with 'RustBucket' Malware

Researchers at Jamf Threat Labs have discovered a MacOS malware family which they have christened 'RustBucket'. The malware contacts C2 servers to download and execute various payloads and, based upon the similarity to a Windows attack documented by Kaspersky, is attributed to BlueNoroff, a subgroup of the North Korean Lazarus Group.

(Image credit: Jamf)

The first stage dropper of the malware chain is written in compiled AppleScript, and embedded into an unsigned application named Internal PDF Viewer.app; this is consistent with BlueNoroff's technique of luring victims with fake job application correspondence. Stage 2 is written in Objective-C and also masquerades as a PDF viewer, and is a trojan horse which activates when a specific PDF file is loaded, functioning as a loader. Stage 3, written in Rust (hence, 'RustBucket'), is a more sophisticated backdoor.

Saljooki, Ferdous and Jaron Bradley, BlueNoroff APT group targets macOS with ‘RustBucket’ Malware, blog post, 21 April 2023. Available online at https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

New Phone? No More Google Authenticator Blues. . .

For those of us who use Google Authenticator, getting a new phone has heralded a tedious task, not to mention occasional pain. You see, Google Authenticator, a software time-based one-time password token generator which generates a new authentication code every minute, stored its seed values on the phone - hopefully in the secure element - which meant that a new phone meant re-seeding the various tokens in the Authenticator app.

For some accounts, this simply meant using the camera phone to scan a QR code off a PC screen, in order to replace the current token with a new one and store the seed values in the new phone. But for some accounts, it meant getting administrators to revoke the current one-time codes so that we can enrol the new phone - a tedious process that could take some time.

Fortunately, Google has now updated the Authenticator app to store the token data in the user's Google account, allowing accounts to be transferred between phones with relative ease. In fact, version 6.0 and later for both Android and iOS will synchronize Authenticator codes across multiple devices and will automatically restore them to any new device you use.

Of course, this has implications for lost and stolen devices, especially if the device is not locked using some secure mechanism. And if the Google account itself can be compromised . . . But then, an attacker would need the Authenticator codes to do that, wouldn't they?

Brand, Christian, Google Authenticator now supports Google Account synchronization, blog post, 24 April 2023. Available online at https://security.googleblog.com/2023/04/google-authenticator-now-supports.html.

Google Rolls Out Generative AI for Security

Sticking with other Google news, the firm has announced a number of related new capabilities which bring AI to the field of infosec. The key one seems to be Google Cloud Security AI Workbench, a do-everything 'platform' which is based on a specialized large language model for security called Sec-PaLM.

(Image credit: Google)

Sec-PaLM seems to take feeds from a number of sources: the MITRE frameworks, obviously, as well as OSSVDB, VirusTotal and threat intelligence from Mandiant, which is now owned by Google. The product will also draw on selected data from Google partners; the first of these will be Accenture, who will integrate Security AI Workbench with their Managed Extended Detection and Response service.

In addition, Sec-PaLM is also being added into two other products. Firstly, VirusTotal will use it to power a new automated malware analysis feature called Code Insight, which can analyze files to improve the detection of actual threats, reducing false positives. The code is already analyzing PowerShell scripts uploaded to VirusTotal. Secondly, Mandiant is integrating Sec-PaLM into the Chronicle SIEM/SOAR suite, in the form of Mandiant Breach Analytics for Chronicle.

This is a large product announcement with lots of implications. We can expect to see further integration of AI into incident response tools, improving the signal/noise ratio for human analysts and perhaps helping to close the skills gap.

Potti, Sunil, Supercharge security with generative AI, blog post, 25 April 2023. Available online at https://cloud.google.com/blog/products/identity-security/rsa-google-cloud-security-ai-workbench-generative-ai.

Open-Source Large Language Model Launched

And while we're on the subject of AI, Stability.ai has launched the first of its open-source StableLM language models; the alpha version of the model is available in 3 billion and 7 billion parameter versions, with 15 billion to 65 billion parameter versions to follow.

Developers can freely inspect, use and adapt the base models for commercial or research purposes, under the terms of the Creative Commons BY-SA-4.0 license. The models are now available in the firm's GitHub repository.

Uncredited, Stability AI Launches the First of its StableLM Suite of Language Models, blog post, 19 April 2023. Available online at https://stability.ai/blog/stability-ai-launches-the-first-of-its-stablelm-suite-of-language-models.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

NSO's Pegasus - Still a Thing

Just over a week ago, we brought you news of Citizen Lab's discovery of new amrtphone implants produced by Israeli spyware firm QuaDream. This kind of implant is commonly used by governments to spy on journalists and civil rights activists - a market that was pioneered by another Israeli company, NSO Group. We hadn't heard from NSO Group in some time, suspecting that intense publicity had caused them to put the brakes on their activities.

Not so, it seems, according to a new report from Citizen Lab, who have discovered three new zero-click exploit chains against Apple iOS 15 and 16 which seem to have been developed by NSO Group during 2022. The Toronto researchers' investigation started with the discovery of infections on the phones of human rights defenders from Centro PRODH, which represents victims of military abuses in Mexico.

This led to the uncovering of PWNYOURHOME, which was deployed against iOS 15 and 6 starting in October 2022, and appears to be a novel two-step zero-click exploit - the first step targets HomeKit and the second target iMessage. Working backwards, FINDMYPWN was deployed against iOS 15 from June 2022, and is also a two-step exploit - stage one targets the iPhone's "Find My" feature, while stage two targets iMessage. Using information shared by Citizen Lab, Apple released fixes for HomeKit in iOS 16.3.1.

Having identified FINDMYPWN and PWNYOURHOME, the Citizen Lab researchers discovered traces of NSO Group's first 2022 zero-click, LATENTIMAGE, which may also have exploited the iPhone "Find My" feature.

The Citizen Lab report provides a full run-down on the technical aspects of these exploits, as well as the socio-political targeting, and suggested mitigation using Apple's Lockdown Mode.

Marczak, Bill, John Scott-Railton, Bahr Abdul Razzak and Ron Deibert, Triple Threat: NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains, technical report, 18 April 2023. Available online at https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/.

GhostToken Vulnerability Hides Malicious Google Cloud Applications

A recently-patched vulnerability in Google Cloud Platform potentially exposed millions of Google accounts to access via an invisible, undeletable OAuth2 access token. The vulnerability, called GhostToken by the Astrix Security researchers who discovered it, was notified to Google on 19 June 2022. So deep in Google's processes was the vulnerability located that it took the cloud provider over nine moths to deploy a fix, in early April, allowing disclosure of the vulnerability by Astrix.

(Image credit: Astrix)

A hypothetical attack would work by getting the victim to naively grant access, via the OAuth 2.0 protocol, to their Google account by an apparently trustworthy app. The attacker then replaces the app code with a malicious version and - here's the GhostToken trick - deletes the Google Cloud Platform project associated with the OAuth2 authorization. This causes the project to go into a "pending deletion" state, which removes the app from the user's app permissions page at https://myaccount.google.com/permissions and preventing the victim from removing access.

However, the project will not be really deleted for another 30 days, allowing the attacker to restore it, use the access token to copy the victim's data, and then delete the project once more. Just what data the attacker can access depends upon the permissions granted by the victim, but could include access to Gmail, Google Drive, Docs and other application data.

The Google fix simply updates the app permissions page to include apps that are in a pending deletion state, so that the user can revoke access.

Uncredited, GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts, blog post, 20 April 2023. Available online at https://astrix.security/ghosttoken-exploiting-gcp-application-infrastructure-to-create-invisible-unremovable-trojan-app-on-google-accounts/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Class Action Launched Against Optus

Class action law firm Slater and Gordon has launched an action against Optus, representing 100,000 customers whose data was compromised by an attack some six months ago. The suit alleges Optus breached privacy, telecommunications and consumer laws as well as - perhaps more troubling - the company's own internal policies.

According to Slater and Gordon's class actions practice group leader, Ben Hardwick:

In general, privacy laws require data controllers or custodians to take 'reasonable steps' or implement 'reasonable safeguards' to protect personal data, and a possible line of defence could be the argument that it is not reasonable to expect even the best security professionals to foresee, and have the resources to protect against, every possible attack - this is why we perform risk management in order to prioritize our defences.

However, if the suit specifically alleges that the breach was due to Optus staff not complying with its own policies, that suggests that this class of attack was foreseen and a reasonable safeguard - by Optus' own definition - should have been in place to prevent it. It also implies a lack of audit and testing to detect the absence of the appropriate control. There are suggestions that customer data was exposed while testing an API or via a now-unused API; the use of real customer data for testing is a fundamental no-no, but the breach could also have been due to improper web API asset management or excessive data exposure.

With almost ten million Optus customers affected, the plaintiff class should grow substantially, and as this action plays out many CISO's and commentators will be watching closely.

Knight, Ben, Optus data breach class action launched for millions of Australians caught up in cyber attack, ABC News, 21 April 2023. Available online at https://www.abc.net.au/news/2023-04-21/optus-hack-class-action-customer-privacy-breach-data-leaked/102247638.

May, Natasha, Optus sued by 'vulnerable' victims of data breach, The Guardian, 21 April 2023. Available online at https://www.theguardian.com/australia-news/live/2023/apr/21/australia-news-live-renewables-superpower-clean-energy-summit-jim-chalmers-nsw-liberals-leadership-indigenous-voice-cost-of-living-interest-rates-drug-reform.

Ransomware Attacks Poorly-Secured Microsoft SQL Servers

South Korean security firm AhnLab has discovered a relatively new type of ransomware now being used to compromise poorly-secured Microsoft SQL Server database servers. The Trigona malware first appeared in late 2022, and Palo Alto Networks' Unit 42 has also detected it being deployed against a range of industries in the US, Italy, France, Germany, Australia and New Zealand.

The threat actor monitored by AhnLab's Security Emergency response Center (ASEC) achieves initial compromise of the SQL Servers via either brute force or dictionary attacks, indicating that the servers a) are directly exposed to the Internet - tsk, tsk! - and b) have weak passwords on either admin or service accounts. Another problem is the installation of SQL Server on desktop and even laptop machines as part of some ERP and vertical-market applications - the author remembers installing the software for a TV tuner card on his desktop PC and being amazed to discover a complete installation of SQL Server, just to maintain the electronic program guide (EPG) when a smidgin of XML would have done the job!

Having achieved initial access, the actor installs CLR Shell, a backdoor which is written in assembler for the .NET common language runtime. This backdoor - similar to a webshell - can accept commands to enumerate system information as well as achieving privilege escalation by editing the registry and rebooting the system to change the SQL service account to LocalSystem. Having done this, the actor installs a dropper, svcservice.exe, which will create and launch the Trigona ransomware, svchost.exe, as well as a batch file which edits registry keys to ensure Trigon runs after every reboot, then deletes volume shadow copies and disables the system recovery feature. The batch file the invokes a copy of the Trigona svchost.exe for each possible drive letter from C:\ to Z:\ before finally deleting the svcservice.exe dropper and its related files.

As the ransomware runs, it leaves a ransom note, under the filename how_to_decrypt.hta, in every directory. This instructs the victim to download the Tor browser and go to a specific address - embedded in the file via JavaScript - for instructions on how to make payment. Unusually, Trigona is written in Delphi (the contemporary descendant of the old Turbo Pascal). Another unusual characteristic of this threat actor is that it requests payment in Monero, rather than the more popular Bitcoin.

Sanseo, Trigona Ransomware Attacking MS-SQL Servers, blog post, 17 April 2023. Available online at https://asec.ahnlab.com/en/51343/.

Lee, Frank and Scott Roland, Bee-Ware of Trigona, An Emerging Ransomware Strain, blog post, 16 March 2023. Available at https://unit42.paloaltonetworks.com/trigona-ransomware-update/.

How To Host User-Controlled Content?

Most security professionals, and some web developers, are aware of the challenges of hosting user-generated or -controlled content in their applications. This can include simple cases like user-uploaded photos or graphics, through to more sophisticated cases which might involve the use of HTML tags. If user uploads are ruthlessly sanitized, the result can be cross-site scripting, cross-site request forgery and a range of other attacks.

The classic solution is to separate untrusted, user-controlled content from trusted site content by using sandbox domains. You may have noticed Google doing this, for example - while their own trusted content is hosted at google.com, the untrusted user-controlled content is downloaded from googleusercontent.com. Many other sites work the same way.

A new article from Google Security provides a useful tutorial on more modern techniques which are both easier and more secure, and work by taking advantage of HTTP header fields that many developers simply are not aware of. The article describes two basic use cases.

The first is serving completely passive user content, such as images and file downloads. The basic technique here is to set the Content-Type header to a well-known MIME type this is supported by all browsers and guaranteed not to contain active content. If in doubt, application/octet-stream is a safe choice. However, in addition, a number of other response headers, such as Cross-Origin-Resource-Policy and Content-Security-Policy, should also be set to ensure that the browser fully isolates the response.

However, some user-controlled content, such as HTML or scalable vector graphics (SVG files), needs to be interpreted by the browser. Here, the basic technique is to use the Content-Security-Policy: sandbox header, but once again, there are advanced twists, such as adding a sandbox domain to the public suffix list, and developing specialised handlers that convert the user-controlled content into a pre-rendered blob (binary large object).

Dworkin, David, Securely Hosting User Data in Modern Web Applications, blog post, 18 April 2023. Available online at https://security.googleblog.com/2023/04/securely-hosting-user-data-in-modern.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Consumers Ready for Passkeys - Once They Know About Them

A new survey conducted by password manager vendor 1Password indicates that consumers are ready for a passwordless future using passkeys - but they don't know about them.

Passkeys were developed by the FIDO Alliance (specifically, the Client-to-Authenticator Protocol [CTAP]) and the World Wide Web Consortium (the Web Authentication specification). This passwordless (yay!) authentication system effectively works the same way as the SSH public-key authentication familiar to security professionals - during site registration, the protocol automatically generates a public/private key pair and uploads the public key to the user's new account on a web site. From that point on, the user need only unlock their authenticator - which could use biometrics on a smartphone, so just a tap would be required - and that will select the correct private key and complete the authentication process.

Unsurprisingly, 1Password's survey revealed that almost two out of every three people say that they are open to using any new technology that will make their lives simpler. However, only one in four has heard the term 'passwordless', indicating that they are not seeing it on the web sites they use or in mainstram media coverage.

However, once shown a description and an example of passkeys in operation, 75% of respondents say they are open to using them.

Since Google, Microsoft and Apple have all announced passkey support in their browsers, the bottleneck to adoption probably lies with the developers of popular web development platforms. Consumers have shown a preference for federated identity management solutions where appropriate and available, and would almost certainly switch rapidly to passkeys once they are widely accepted.

Uncredited, Preparing for a passwordless future, report, 18 April 2023. Available online at https://1password.com/resources/passwordless-future-report.

The Billion Dollar Scam

Following Monday's ABC Four Corners documentary on ransomware group REvil, we have stumbled across another interesting doco from a national broadcaster. In this one, BBC investigative reporter Simona Weinglass has led a wide-ranging investigation into a criminal network which is believed to have scammed more than one billion dollars through investment scams all over the world.

While Chinese gangs are notorious for running 'pig butchering' scams in SE Asia, this particular group runs a similar operation targeting European and US victims from call centers - in Kyiv until the war began, followed by a rapid relocation to Tbilisi in Georgia. Perhaps most fascinating is the way the ringleaders distance themselves from the front-line workers, behaving and appearing in almost all respects as legitimate businessmen - not to mention the regret felt by some of the call center workers when they realise their well-paying jobs are not with a legitimate investment fund, but actually a criminal organization.

Weinglass, Simona, The Billion Dollar Scam, documentary program, 14 April 2023. Available online at https://www.youtube.com/watch?embed=no&v=w6JXZ3GzSCQ.

Vaastamo CEO Given (Suspended) Jail Time

Our course attendees and regular readers will be familiar with the case of Finnish mental healthcare provider Vaastamo, which suffered a ransomware breach in September 2020, encrypting their patient records. When the company's CEO, Ville Tapio, refused to pay a ransom, the firm discovered that the ransomware had also performed data exfiltration, as the hackers released sensitive patient records on a Tor network server. And when the CEO still refused to pay the ransom, the hackers turned to extorting payments from the individual patients, predictably leading to a class action.

Investigations revealed that the company's software was only minimally secured and did not comply with Finland's regulations for healthcare records systems. The CEO was terminated and the company subsequently liquidated.

On Tuesday, the Helsinki District Court handed down its judgement in a criminal prosecution of former Vaastamo CEO Ville Tapio for a data protection offence. The court found that he did not fulfil the EU's GDPR (General Data Protection Regulation) requirements to pseudonymise and encrypt patient data handled by the company.

The court characterised Tapio's actions as particularly reprehensible, due to both the size of the breach and the sensitivity of the information involved. In the sentencing statement, the court found that, "Taking into account the long period of time, the district court finds that this act cannot be reconciled with fines, but that Tapio must receive a prison sentence for the act". However, considering that Tapio had no previous criminal record, the court imposed a three month suspended sentence.

Tapio had claimed ignorance of the company's poor security, blaming the breach on two former IT staff. However, governance law and regulations in most jurisdictions makes boards and executive management liable for the management of cybersecurity risk, so that defence was never going to fly.

Incidentally, the alleged perpetrator of the breach, Aleksanteri Kivimäki, was apprehended back in late February and will face a range of charges in due course.

YLE News, Hacked therapy centre's ex-CEO gets 3-month suspended sentence, news report, 18 April 2023. Available online at https://yle.fi/a/74-20027665.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

APT28 Exploited Known Vulnerability in Cisco IOS

The US Cybersecurity & Infrastructure Security Agency, the UK National Cyber Security Centre, NSA and FBI have released a joint advisory, detailing the tactics, techniques and procedures used by APT28 in its exploitation of Cisco routers, mainly back in 2021 APT28 is perhaps better known as Fancy Bear, Sofacy or STRONTIUM, although it is officially the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165.

The group was able to exploit CVE-2017-6742, which was fixed back in June 2017 (several years before the exploitation). This vulnerability affects Cisco's implementation of SNMP (Simple Network Management Protocol) v2 in its routers - SNMP v2 has long been known to have weak authentication and in many cases, all that is required is the default community string value of 'public' to be able to query the management information base on a network device.

So, the threat actors simply scanned for routers with weak community strings, and upon discovering one, used CVE-2017-6742 to inject their malware directly into the memory of the router. This means that the malware - called Jaguar Tooth - is non-persistent, but can easily be reinjected whenever required. Once resident in memory, Jaguar Tooth grants telnet access to existing local accounts, and also creates a process called 'Service Policy Lock' which runs a number of show commands, exfiltrating the results over the TFTP protocol:

• show running-config
• show version
• show ip interface brief
• show arp
• show cdp neighbors
• show start
• show ip route
• show flash

The lessons are obvious. First, network devices are an increasingly popular target for threat actors as they allow interception of inbound and outbound traffic; furthermore, they often receive far less scrutiny and monitoring than computers and cannot run the endpoint detection and response tools available for popular operating systems. Hence, the first mitigation has to be a policy of proactive patching - the exploited routers should have been updated four years earlier.

SNMP v1 and v2 should be replaced with more secure protocols, such as NETCONF or RESTCONF, for remote management (and telnet should be disabled!). The joint advisory, coupled with the UK NCSC's two reports, provide a lot more detail.

CISA, APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers, cybersecurity advisory, 18 April 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108.

NCSC, APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers, advisory, 18 April 2023. Available online at https://www.cisa.gov/sites/default/files/2023-04/apt28-exploits-known-vulnerability-to-carry-out-reconnaissance-and-deploy-malware-on-cisco-routers-uk.pdf.

NCSC, Jaguar Tooth, malware analysis report, 18 April 2023. Available online at https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/jaguar-tooth/NCSC-MAR-Jaguar-Tooth.pdf.

New Device Advances Quantum Key Distribution

While much hype surrounds the potential of quantum computers, especially for breaking existing public-key cryptography algorithms, other quantum developments continue to provide solutions to the problem. One of these areas is quantum key distribution, which solves the key distribution problem by providing a form of key transfer which is immune to eavesdropping.

The key distribution problem can be simply stated. Alice and Bob wish to communicate over an insecure channel - one on which Eve can eavesdrop. Alice and Bob can solve their problem by encrypting their communication using an algorithm like AES, but in order to do that, they each need to have the same key. If Alice comes up with a random key and sends it to Bob over their insecure channel, Eve will simply intercept the key, and they will be no better off - so how can they exchange or agree on a key without Eve getting hold of it?

Current systems mostly solve this problem using public-key cryptographic algorithms like having Alice 'wrap' the random key using Bob's RSA public key and sending it to him; since Eve does not have Bob's private key - only Bob has that - she cannot learn the key. Or Alice and Bob can use Diffie-Hellman key agreement. But these are the techniques that quantum computers may well break in the not-too-distant future.

Much attention has focused on the use of polarized photons to send a key over a fiber optic cable. Since they only way to figure out the polarization of a photon is to pass it through a polarized filter and detect what comes out, any attempt by Eve (or Mallory, the man-in-the-middle) to do this will either change the polarity of many photons or block them completely, rendering the attack obvious to Alice and Bob. Using a protocol called BB84 with privacy amplification, this technique has already been commercialized and rack-mount devices for quantum key distribution are already available.

However, there's another promising technique waiting in the wings that is completely unobservable by Eve and Mallory, based on quantum entanglement - a phenomenon that Einstein could never come to terms with, calling it "spooky action at a distance". When two subatomic particles are entangled, any change to one of the particles happens to the other, no matter how far apart the particles are, and with no apparent communication between them. In other words, there is nothing for Eve or Mallory to intercept.

Already, scientists in China have demonstrated satellite-based distribution of entangled photon pairs to two locations over 1,000 km apart via two satellite-to-ground downlinks [1]. However, this technique is expensive and still highly experimental; optical fiber will likely remain cheaper for shorter distances. In both cases, the cost of the equipment for generation of entangled photons remains a barrier.

However, a new paper [2] reveals the first photonic device that puts all the circuitry on one chip, combining an optical amplifier built out of indium phosphide - effectively a semiconductor laser that can generate a stream of photons - with a second section containing progressively smaller 'microring resonators', made of silicon nitride, which filter out noise and eventually produce a pair of entangled photons.

The chip, which draws only 3 watts of power, can generate 8,200 pairs of entangled photons per second, at the wavelengths commonly used for fiber optic cables. Although there are still some challenges in the complexity of the manufacturing process and the chip's performance, the fact that it reduces the size of the quantum light source by a factor of 1,000 could accelerate the use of quantum entanglement out of the laboratory and into real-world applications.

The original papers below are, of course, incredibly technical, but the IEEE Spectrum article is much more accessible for the layman.

[1] Yin, J., Cao, Y., Li, Y.-H., Liao, S.-K., Zhang, L., Ren, J.-G., Cai, W.-Q., Liu, W.-Y., Li, B., Dai, H., Li, G.-B., Lu, Q.-M., Gong, Y.-H., Xu, Y., Li, S.-L., Li, F.-Z., Yin, Y.-Y., Jiang, Z.-Q., Li, M., … Pan, J.-W. (2017). Satellite-based entanglement distribution over 1200 kilometers. Science, 356(6343), 1140–1144. https://doi.org/10.1126/science.aan3211.

[2] Mahmudlu, H., Johanning, R., van Rees, A., Khodadad Kashi, A., Epping, J. P., Haldar, R., Boller, K.-J., & Kues, M. (2023). Fully on-chip photonic turnkey quantum source for entangled qubit/qudit state generation. Nature Photonics, 1–7. https://doi.org/10.1038/s41566-023-01193-1.

Gent, Ed,  Entangled Photons Produced Entirely On-Chip: Quantum photonic technology reduced to the size of a coin, IEEE Spectrum, 17 April 2023. Available online at https://spectrum.ieee.org/quantum-entanglement.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.