Site blog

Les Bell
ACSC, CISA Address BCP
by Les Bell - Tuesday, 14 November 2023, 8:06 AM
Anyone in the world

The Australian Cyber Security Centre, aided by the US's Cybersecurity and Infrastructure Security Agency, has released a guidance package aimed at ensuring continuity of operations for both email communications and critical business applications following a significant incident - the most obvious example being a ransomware attack, but physical disasters do happen, too.

A building fire. (Photo by Chris Karidis on Unsplash)

The package, entitled Business Continuity in a Box, is aimed at small and medium businesses and provides step-by-step instructions on how to deploy the necessary services in the cloud. It consists of three guidance documents plus a supporting PowerShell Script:

  • ACSC Business Continuity In a Box - Overview
  • ACSC Business Continuity In a Box - Communications
  • ACSC Business Continuity In a Box - Applications
  • ACSC Business Continuity In a Box - Automation Tool

The Communications document provides a detailed, step-by-step, plan for provisioning a replacement email service using a Microsoft 365 Business Standard Tenant (one can't help wondering if the focus on Microsoft's cloud is the first fruit of Microsoft's recent much-touted $A5 billion investment in cybersecurity and AI in Australia).

In stage 1, the user reviews the pack and verifies that they have the prerequisites (a Windows 10 or 11 computer, a phone, an email account, relevant information about the organisation - particularly access to its DNS configuration - and a credit card).

In stage 2, the guide walks the user through provisioning the MS 365 tenant, while in stage 3, they update the organisation's DNS entries, following provider-specific guidance supplied at the time by Microsoft. Stage 4 uses a PowerShell script to apply configuration settings to the MS 365 tenant and the associated Exchange Online instance. while the final stage validates the environment.

The guide seems to be well thought-out, with good explanations at an appropriate level for an only moderately technical user who is working quickly, under pressure, possibly somewhat panicked.

Despite my idle musings above, the guide does make the point that this MS 365 account can operate on a 30-day free trial, so it's not very profitable for Microsoft (but neither will it cost them much, either). But I wouldn't be surprised if Google and other SaaS providers produced similar guides for their own services.

The Continuity of Applications guide is, of necessity, much less detailed - there being so many different types of applications. It covers three stages - 1: determining the critical applications (essentially a crude Business Impact Analysis, described in a few paragraphs), 2: Determining a continuity path (selecting SaaS, PaaS or IaaS), and 3: deploying an IaaS application environment, IaaS being the fastest way to deploy an existing application, although some basic applications could be deployed on SaaS using low-code/no-code tools such as Microsoft PowerApps or Google AppSheet (unfortunately, not covered here).

The discussion for stage 3 covers the various architectural principles and patterns as well as relevant issues, and is more agnostic than the Continuity of Communications document, providing examples for MS Azure, AWS and Google Cloud. However, in all cases, a lot more preparation work will be required of the user, if they are to respond quickly to a business continuity incident.

Overall, this is a useful set of preparatory documents for SME's. What's more, we know from experience that at least some of the techniques described really work. Take, for example, the experience of Norsk Hydro, which suffered a targeted ransomware attack (Beaumont, 2019 and Clueley, 2019,) but quickly got on the front foot by deploying an interim web site in Azure and providing status updates to customers via email (which was unaffected since they were already using MS 365).

ASD and ACSC (with CISA), Business Continuity in a Box, documentation web page, 10 November 2023. Available online at https://www.cyber.gov.au/smallbusiness/business-continuity-in-a-box.

Beaumont, Kevin, How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business, DoublePulsar blog, 21 March 2019. Available online at https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880.

Clueley, Graham, In its ransomware response, Norsk Hydro is an example for us all, blog article, 3 April 2019. Available online at https://www.grahamcluley.com/in-its-ransomware-response-norsk-hydro-is-an-example-for-us-all/.

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Australia's Torrid Week for Critical Infrastructure
by Les Bell - Monday, 13 November 2023, 7:45 AM
Anyone in the world

It's only been a week since Australia's Department of Home Affairs released its first Critical Infrastructure Annual Risk Review - November being Critical Infrastructure Security Month. And only a couple of days later, top-tier telco Singtel Optus suffered a major day-long outage - this one apparently not cybersecurity-related, but with some important lessons for us, nonetheless.

A container terminal with a crane over a container ship.And just when everyone thought it couldn't get any worse, ports operator DP World Australia has been hit with a 'cybersecurity incident' (I would say breach, rather than incident, as their defences failed) - this one quite likely the early phases of a ransomware attack.

Turning first to Optus, the firm started to experience a major network failure starting around 4 am on Tuesday 7 November. There's been no official word so far, but the signs point to a failed BGP-4 configuration change which propagated throughout the firm's systems, since other network operators reported a spike in BGP-4 routing advertisements from the company, beginning around then. This brought down the company's cellular network, since voice calls in this 4G/5G/6G world are no longer switched analog signals, but Voice over IP.

You might be thinking, "Hang on - the whole point of the packet-switched IP protocol which runs the Internet, and the dynamic routing protocols which control its routing, is precisely to deal with this by detecting outages and routing around them!". And you'd be right, except for a couple of things:

First, the days when telephone exchanges were huge sandstone or concrete buildings which were manned 24 x 7 by technicians are long gone. These days, the 'central office' switching centre gear is much, much smaller, and is remotely managed - which is great as long as your network lets you connect to those switches and fix any configuration problems. But if your network routing is b0rked, then you've just sawn through the branch you were sitting on, and are rapidly hurtling towards terra firma.

The switches that failed first were located in two Melbourne suburbs, and so a technician apparently had to be despatched with a laptop and cable to connect to the AUX port of the switches. Meanwhile, a domino effect had set in, with routes being dropped all over the place. There are other potential complicating factors, too - think about physical access control: a great big chunky key will always work, but a badge reader will need network connectivity.

Over 12 hours later, the network was gradually coming up again, mollifying customers who had suffered significant losses. Coffee shops, hairdressers and retailers of all sizes were unable to take payments, since their credit card terminals rely on the cellular and in this post-COVID era hardly anyone carries cash. The result was a clamor for compensation - to which Optus was slow in responding, offering many customers an extra 200GB of free data (on top of an unlimited data plan, in many cases!).

There are clearly lessons here about resilience by means of redundancy, cost-cutting, the importance of planned responses to material incidents, breaches and outages, including crisis communications, and the value of dual-SIM smartphones with a spare pre-paid SIM.

Turning to DP World: the UAE-based logistics firm is the largest port operator in Australia, handling one third of the country's maritime freight through its ports in Sydney, Melbourne, Brisbane and Fremantle. On Friday 10 November, the company detected a breach and responded by disconnecting from the Internet and calling in cybersecurity specialists, including the Australian Cyber Security Centre, this being critical infrastructure.

As a result of this containment effort the firm had to close down its port operations, including its connections with landside transport and logistics companies. This could lead to supply-chain disruption and product shortages in the pre-Christmas retail peak - so we can expect more unhappy retailers.

DP World remains offline as of 7 am on Monday 13 November 2023, but hopes to back online within days.

'They' say that bad things always come in threes, so I'm waiting with bated breath. . .

McKenzie, Parker, What caused the Optus outage and how it exposed Australia’s communications framework, The New Daily, 8 November 2023. Available online at https://www.thenewdaily.com.au/finance/consumer/2023/11/08/optus-outage-cause-resiliency.

AAP, Cyber attack shuts down major port operator, The New Daily, 11 November 2023. Available online at https://www.thenewdaily.com.au/news/2023/11/12/dp-world-cyberattack.

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Torrid Week for Australia's Critical Infrastructure
by Les Bell - Monday, 13 November 2023, 7:43 AM
Anyone in the world
Tags:
Permalink
 
Les Bell
Quantum Cryptanlysis Breakthrough? Really?
by Les Bell - Wednesday, 8 November 2023, 8:56 AM
Anyone in the world

Photo by Michael Dziedzic on UnsplashOnline magazine Tom's Hardware is reporting a claimed breakthrough in quantum computing which can break RSA-2048 - that is, given an RSA public key with a 2048-bit modulus, it can derive the private key in polynomial time. Even better, it can do this without requiring a huge, expensive super-cooled quantum circuit - instead, it works on a smartphone or Linux desktop.

The claim is made in the abstract of a preprint posted to open-source publishing site, ResearchGate, by Ed and Ann Gerck, of Planalto Research.

Now, until last year, I was a university lecturer in Applied Cryptography, and I taught some aspects of quantum crptology - both the use of quantum key distribution (QKD) and quantum cryptanalysis. In particular, I taught the basics of quantum computing and the operation of Shor's Algorithm for factoring large composites (which is the way to break RSA crypto), including how the quantum computer is used to derive the periodicity of a function.

I've read the abstract in question, and it doesn't make much sense to me. A few points to bear in mind:

  • I cannot conceive of any way to run a quantum algorithm on a smartphone. Quantum computing just doesn't work that way.
  • A breakthrough of this magnitude would not be published on an open-source site - if I had come up with it, I'd submit it for one of the major cryptology conferences like IACR, CRYPTO or EuroCRYPT. What's more, if it passed muster, I'd get star billing.
  • Peer review, while important for academic publishing, could easily be dispensed with in a case like this: the claim can be verified by returning the private keys in response to a few public keys given as a challenge. For bonus points, show it actually running on a smartphone.
  • The abstract also reveals that "that we are working on a post-quantum, HIPAA compliant, end-to-end, patent-free, export-free, secure online solution, to replace RSA as soon as possible". This work is apparently based on an earlier proprietary crypto algorithm called ZSentry. Frankly, nobody cares whether crypto is HIPAA-compliant; the question is whether it is FIPS accredited. This is just hand-waving, with added buzzwords for the technically unsophisticated, and one can only wonder whether the claim to have broken RSA is an attempt to stimulate demand for post-quantum crypto - which can in any case be met by several other solidly-based algorithms already on the standards track.

I've been banging the drum pretty consistently for many years on the need for cryptographic agility - preparedness to replace existing public-key algorithms before it is too late. But I'd be very surprised if this was the expected quantum apocalypse.

As I've long told my students, in the world of cryptology, there's not a great distance between secret sauce and snake oil. And, as UTS researcher Chris Ferrie points out, the world of quantum physics has spawned a lot of BS.

Tyson, Mark, Scientist Claims Quantum RSA-2048 Encryption Cracking Breakthrough, Tom's Hardware, 4 November 2023. Available online at https://www.tomshardware.com/software/security-software/quantum-rsa-2048-encryption-cracking-breakthrough-claim-met-with-scepticism.

Gerck, Ed and Ann Gerck, QC Algorithms: Faster Calculation of Prime Numbers, preprint, August 2023. Available online at https://www.researchgate.net/publication/373516233_QC_Algorithms_Faster_Calculation_of_Prime_Numbers.

Ferrie, Chris, Quantum Bullshit: How to Ruin Your Life with Advice from Quantum Physics, Sourcebooks, 2023. Available in Kindle format via Amazon at https://www.amazon.com/Quantum-Bullsh-Ruin-Advice-Physics-ebook/dp/B0BQCGRT4V/.

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Australian Critical Infrastructure Risk Review Released
by Les Bell - Tuesday, 7 November 2023, 5:56 PM
Anyone in the world

The Australian Department of Home Affairs and the Cyber and Infrastructure Security Centre has released the first Critical Infrastructure Annual Risk Review, to mark Critical Infrastructure Security Month.

The review found that foreign interference and espionage are principal threats to Australia's infrastructure, with foreign actors seeking everything from critical research and intelligence to details on production and service levels.

However, the review also pointed out that trusted insiders pose a significant threat to the critical infrastructure sector, since they can deliberately - or accidentally - disclose sensitive information to third parties, manipulate systems and networks to cause damage, or be recruited by foreign intelligence services. Dark web job ads targeting disgruntled employees are used as a recruitment tool, and are also used as a vector for delivery of malware via trojaned application forms.

The report also pointed to the effectiveness of cyber attacks such as the 2021 Colonial Pipeline incident, which started as a ransomware attack on corporate systems but led to a decision to shut down operational technology systems in order to mitigate cross-system compromise.

The 31-page report has short chapters on critical infrastructure risk and regulation, sector interdependencies, cyber/infosecurity, supply chain threats, physical threats, natural hazards and personnel risks. It concludes with a short section which looks to the future.

Industry Partnerships Branch, Department of Home Affairs, Critical Infrastructure Annual Risk Review, November 2023. Available online at https://www.cisc.gov.au/resources-contact-information-subsite/Documents/critical-infrastructure-annual-risk-review-first-edition-2023.pdf.

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
QNAP Patches RCE Vuln in QTS, QuTS
by Les Bell - Tuesday, 7 November 2023, 8:39 AM
Anyone in the world

NAS Vendor QNAP has released fixes for two remote command execution vulnerabilities in their QTS, QuTS hero and QuTS cloud operating systems. The vulnerabilities are:

  • CVE-2023-23368 (CVSS 3.1 score: 9.8), a command injection vulnerability affecting:
    • QTS 5.0.x (fixed in QTS 5.0.1.2376 build 20230421 and later)
    • QTS 4.5.x (fixed in QTS 4.5.4.2374 build 20230416 and later)
    • QuTS hero h5.0.x (fixed in QuTS hero h5.0.1.2376 build 20230421 and later)
    • QuTS hero h4.5.x (fixed in QuTS hero h4.5.4.2374 build 20230417 and later)
    • QuTScloud c5.0.x (fixed in QuTScloud c5.0.1.2374 and later)
  • CVE-2023-23369 (CVSS 3.1 score 9.8), a command injection vulnerability affecting:
    • QTS 5.1.x (fixed in QTS 5.1.0.2399 build 20230515 and later)
    • QTS 4.3.6 (fixed in QTS 4.3.6.2441 build 20230621 and later)
    • QTS 4.3.4 (fixed in QTS 4.3.4.2451 build 20230621 and later)
    • QTS 4.3.3 (fixed in QTS 4.3.3.2420 build 20230621 and later)
    • QTS 4.2.x (fixed in QTS 4.2.6 build 20230621 and later)
    • Multimedia Console 2.1.x (fixed in Multimedia Console 2.1.2 (2023/05/04) and later)
    • Multimedia Console 1.4.x (fixed in Multimedia Console 1.4.8 (2023/05/05) and later)
    • Media Streaming add-on 500.1.x (fixed in Media Streaming add-on 500.1.1.2 (2023/06/12) and later)
    • Media Streaming add-on 500.0.x (fixed in Media Streaming add-on 500.0.0.11 (2023/06/16) and later)

These are all fairly old versions of the software, as revealed by the version numbers of the fixed updates, and so most well-maintained installations will be unaffected - and those that are should obviously update immediately.

The QNAP QTS control panel firmware update dialog.After all, the beauty of NAS appliances such as those from QNAP and Synology is that admins don't need to get down in the weeds with Linux command-line administration - but they do have to still follow good admin practices such as proactive patching. On the QNAP devices, this is as simple as logging in with an admin account, opening the Control Panel, selecting Firmware Update and clicking the "Check for Updates" button, which will kick off the update process (right). And it's not even necessary to log in regularly - the server can notify you or even automatically install critical updates. It's also possible to do this from your phone, via the Qmanager app.

Really, people, there are no excuses . . .

QNAP Inc., Vulnerability in QTS, QuTS hero, and QuTScloud, security advisory QSA-23-31, 4 November 2023. Available online at https://www.qnap.com/en-uk/security-advisory/qsa-23-31.

QNAP Inc., Vulnerability in QTS, Multimedia Console, and Media Streaming add-on, security advisory QSA-23-35, 4 November 2023. Available online at https://www.qnap.com/en-uk/security-advisory/qsa-23-35,

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Multiple Exchange0-Days - Lock That Server Down!
by Les Bell - Monday, 6 November 2023, 5:13 PM
Anyone in the world

Trend Micro's Zero Day Initiative has disclosed four new 0-day vulnerabilities in Microsoft's Exchange server. The vulnerabilities are:

The most serious of these is obviously ZDI-23-1578, which is described like this:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability.

The specific flaw exists within the ChainedSerializationBinder class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

Trend Micro reported the vulnerability to Microsoft on 7 September; however Microsoft replied on 27 September:

The vendor states that the vulnerability does not require immediate servicing.

The company responded to the other vulnerabilities in the same way. I'm really not so sure about that. I'd be willing to be that a number of threat actors are sitting on Exchange user credentials which they have acquired via phishing, infostealers or other exploits, and they could make use of these credentials to authenticate and then run an exploit based on one or more of these vulnerabilities. After all, the vulnerable classes and methods are identified right there, in the advisories. And if a threat actor doesn't have the necessary credentials, this gives them motivation to go phishing.

A man fishing on a lake.

(Photo by Pascal Müller on Unsplash)

As the ZDI reports make clear, "Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.". I'd also be making my Exchange users a bit more aware of the possibilities of phishing attacks, and watching Exchange servers like a hawk.

Bazydlo, Piotr, ZDI Published Advisories, advisories list, 2 November 2023. Available online at https://www.zerodayinitiative.com/advisories/published/.

Upcoming Courses

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
 
Les Bell
Trojaned Trojan is Really a Striped Fly
by Les Bell - Monday, 6 November 2023, 9:55 AM
Anyone in the world

A wooden trojan horse on a wheeled platform.

(Photo by Tayla Kohler on Unsplash)

"Trojan Horse" is one of many cybersecurity terms that is overloaded with multiple meanings ("sandbox" is another). In the early security literature, a trojan horse was a pair of programs which could bypass the rules of a multi-level security system, sneaking information from a high security level (like TOPSECRET) to a low security level (like UNCLASSIFIED) which would allow it to be removed from the system and its secure environment.

Later, the term was reused for other purposes - one of them being a program that looks like it does one thing, but really does another. The stereotypical example is a program that emulates the login process on a UNIX system, but actually captures the user's credentials. Wait till the victim goes to lunch, having failed to log out, then run the program on their terminal session, and when they return from lunch, they'll assume they logged out, will log in again and voila! You've captured their password.

These days, the range of trojans is much greater. Many masquerade as mobile device apps, occasionally making it past static checks and into official app stores. Others pose as unlocked or free versions of popular programs - even open source programs that are free to download from their official sites only (Googling for software downloads is dangerous as threat actors will pay advertising fees to get their trojans inserted at the top of the results).

The additional functions of these trojans vary as well: some are infostealers, some are droppers, some are backdoors. Malware analysts routinely examine trojan code to figure out what they do, using static analysis, disassembly or running them in a sandbox to safely observe their behaviour.

And so it was with a malware sample which was first detected back in 2017, which analysts had classified as a Monero cryptocurrency miner. This kind of thing does not pose a major threat - mainly, it's stealing CPU cycles and eventually the user will notice, figure out what's going on, kill it and remove it. No big deal, and nobody took much notice.

The years passed, until Kaspersky researchers unexpectedly detected a signature within the WININT.EXE process of a malware sample associated with the Equation group. As they looked deeper, they traced back through previous examples, right back to this original suspicious code of 2017. Deciding to perform a detailed analysis revealed something completely unexpected: the cryptocurrency miner was just one component of something much larger.

They discovered that the malware used the EternalBlue SMBv1 exploit, which was first disclosed in April 2017 when the ShadowBrokers group tried to auction what they claimed was a library of exploits stolen from the NSA. But it was much more sophisticated than other malware that used the same exploit - much stealhier, and much more complex.

In fact, this malware family, which the Kaspersky researchers dubbed StripedFly, can propagate within a network using not only EternalBlue, but also the SSH protocol. Infection starts with injection of shellcode which can download binary files from bitbucket[.]org and execute PowerShell scripts. It then injects additional shellcode, deplying a payload consisting of an expandable framework with plugin functionality, including an extremely lightweight Tor network client.

The malware achieves persistence in various ways; if it can run PowerShell scripts with admin privileges, it will create task scheduler entries, but if running with user privileges, it inserts an obfuscated registry entry. Either way, it stores the body of the malware in another base64-encoded registry key. If it cannot run PowerShell scripts - for example, if it infected the system via the Cygwin SSH server - then it creates a hidden file with a randomized name in the %APPDATA% directory.

The download repository on Bitbucket was created in 2018, and contains updated versions of the malware. The main C2 server, however, is on the Tor network; the malware connects to it at regular intervals, sending beacon messages. The various modules which extend the malware register callbacks, which are triggered on initial connection to the C2 server, or when a C2 message is received - an architectural hallmark of APT malware.

The modules can be used to upgrade or uninstall the malware, capture user credentials (including wifi network names and passwords, SSH, FTP and WebDav credentials), take screenshots, execute commands, record microphone input, gather specific files, enumerate system information and - of course - mine Monero cryptocurrency.

In short, this is a very sophisticated piece of malware, and not the simple cryptominer it was originally believed to be. Somehow it has flown under the radar for many years, remaining largely undetected. Just who is behind it, and what their objectives may be, is far from clear.

The Kaspersky report provides a detailed analysis and IOC's, along with an amusing side-note concerning a related piece of malware called ThunderCrypt.

Belov, Sergey, Vilen Kamalov and Sergey Lozhkin, StripedFly: Perennially flying under the radar, blog post, 26 October 2023. Available online at https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/.

New Blog Format

Regular readers will notice the changed format of this blog; rather than aggregating several stories in one post, we have switched to posting individual stories with a more informative title. As before, links within a story mostly lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

Upcoming Courses

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
[ Modified: Monday, 6 November 2023, 3:47 PM ]
 
Les Bell
Security News: 2023-11-03
by Les Bell - Friday, 3 November 2023, 9:24 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

Site Maintenance

This site will be offline intermittently over the weekend of Saturday 4 and Sunday 5 November as we migrate to a new server. Normal, stable service will resume at 8 am AEDT (Sydney time) on Monday 6 November.

News Stories

FIRST Publishes CVSS v4.0

FIRST - the Forum of Incident Response and Security Teams - has published version 4.0 of the Common Vulnerability Scoring System (CVSS). A draft of the standard was previewed back in June at the FIRST Conference in Montreal, and this was followed by two months of public comments and two months of work to address the feedback, culminating in the final publication.

CVSS is a key standard used for calculation and exchange of severity information about vulnerabilities, and is an essential component of vulnerability management systems, particularly the prioritization of remediation efforts. Says FIRST:

"The revised standard offers finer granularity in base metrics for consumers, removes downstream scoring ambiguity, simplifies threat metrics, and enhances the effectiveness of assessing environment-specific security requirements as well as compensating controls. In addition, several supplemental metrics for vulnerability assessment have been added including Automatable (wormable), Recovery (resilience), Value Density, Vulnerability Response Effort and Provider Urgency. A key enhancement to CVSS v4.0 is also the additional applicability to OT/ICS/IoT, with Safety metrics and values added to both the Supplemental and Environmental metric groups."

A key part of the update is new nomenclature which will enhance the usability of CVSS in automated threat intelligence, particularly emphasizing that CVSS is not just the base score which is the most widely quoted, The new nomenclature distinguishes:

  • CVSS-B: CVSS Base Score
  • CVSS-BT: CVSS Base + Threat Score
  • CVSS-BE: CVSS Base + Environmental Score
  • CVSS-BTE: CVSS Base + Threat + Environmental Score

The base score provides information about the severity of the vulnerability itself. But in order to assess the risk posed by potential exploitation, it is necessary to take into account information specific to the defender's environment, such as the existence of compensating controls, not to mention the value of exposed assets and likely impact of exploitation. Some of these are expressed in the Environmental Metric group, which encompasses the CIA security requirements of the vulnerable system along with modifications to the Base Metrics as appropriate for the environment. Similarly, it is up to the user to use information about the maturity and availability of exploits and the skill level of likely threat actors in deriving a Threat Score. I expect some risk management professionals are already busy mapping these to elements of the FAIR ontology, such as Threat Capability and Resistance Strength.

Additional Supplemental Metrics can now be used to convey additional extrinsic attributes of a vulnerability, such as safety impacts, lack of automatibility and the effectiveness of recovery controls,  that do not affect the final CVSS-BTE score.

CVSS 4.0 is extensively documented, and FIRST has even developed an online training course, which can be found at https://learn.first.org/.

Uncredited, FIRST has officially published the latest version of the Common Vulnerability Scoring System (CVSS v4.0), press release, 1 November 2023. Available online at https://www.first.org/newsroom/releases/20231101.

Dugal, Dave and Rich Dale (chairs), Common Vulnerability Scoring System Version 4.0, web documenation page, 1 November 2023. Available online at https://www.first.org/cvss/v4-0/index.html.

CVSS v4.0 Calculator: https://www.first.org/cvss/calculator/4.0.

Still More AI Hallucination Embarassment

Regular readers might remember the scandal that erupted earlier this year when it was revealed that Big 4 consultancy PwC had been providing its clients with inside information about tax reforms which had been acquired in its role of advisor to the Australian Taxation Office. As we commented at the time, this would have been an egregious failure of the Brewer-Nash security model, better known as the Chinese Wall model, were it not for the fact that there was obviously no implementation of it in the first place.

That outrage surrounding this prompted a parliamentary enquiry into the ethics and professional accountability of the big audit and consulting firms more generally, with all the Big Four coming under sustained criticism for their practices. Now that enquiry has given us yet another example of how the uncritical use of large language models can give rise to major embarassment.

One of the public submissions to the parliamentary enquiry was prepared by a group of accounting academics who ripped into the several of Big Four, accusing KPMG of being complicit in a "KPMG 7-Eleven wage theft scandal" culminating in the resignation of several partners and claiming the firm audited the Commonwealth Bank during a financial planning scandal. Their submission also claimed that Deloitte was being sued by the liquidators of collapsed construction firm Probuild for failing to audit the firm's accounts properly, and also accused Deloitte of falsifying the accounts of a company called Patisserie Valerie.

Here's the problem: KPMG was not involved in 7-Eleven's scandal and never audited the Commonwealth Bank, while Deloitte never audited either Probuild or Patisserie Valerie.

So why did these academics accuse the firms? You guessed it: part of their submission was generated by an AI large language model, specifically Google's Bard, which the authors had used to create several case studies about misconduct.

The result was certainly plausible - the inquiry was, after all, instituted in response to similar, real cases - but the case studies it created were the result of classic LLM "hallucination", and the academics have now been forced to apologise and withdraw their work, submitting a new version.

It's going to be hard for their university to enforce their policy on academic integrity when even emeritus professors don't do their homework properly. We grade this paper as an "F" - failure to properly cite sources; possible plagiarism?

Belot, Henry, Australian academics apologise for false AI-generated allegations against big four consultancy firms, The Guardian, 2 November 2023. Available online at https://www.theguardian.com/business/2023/nov/02/australian-academics-apologise-for-false-ai-generated-allegations-against-big-four-consultancy-firms.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink
[ Modified: Sunday, 5 November 2023, 10:41 AM ]
 
Les Bell
Security News: 2023-11-02
by Les Bell - Thursday, 2 November 2023, 10:38 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Updated Guidance on Cisco IOS XE Vulnerabilities

In mid-October we reported on a 0-day vulnerability, CVE-2023-20198, which was being exploited in the wild. This vulnerability was in the web UI of Cisco's IOS XE operating system, and sported a CVSS 3.1 score of 10.0, which is guaranteed to get the attention of network admins. More recently, this vuln was joined by CVE-2023-20273, an input sanitization failure which allows an authenticated attacker to perform remote command execution with root privileges via crafted input. The CVSS score this time is only 7.2, so it's not quite as bad, but still . . .

Now Cisco has updated its advisory on these, recommending that admins check whether the web server is running with the command

show running-config | include ip http server|secure|active

If the output contains either of

ip http server

or

ip http secure-server

then the web UI is enabled. However, the presence of either ip http active-session-modules none or ip http secure-active-session-modules none indicates that the vulnerabilities are not exploitable via either HTTP or HTTPS, respectively.

Cisco's security advisory suggests a number of mitigations, principally disabling the web server or at least restricting access to a trusted network only, but the real fix is to download and install the appropriate software updates.

Cisco, Cisco IOS XE Software Web UI Privilege Escalation Vulnerability, security advisory, 1 November 2023. Available online at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z.

US and Allies Up the Ante Against Ransomware

Via Reuters come reports that the White House is finalizing a new policy on government responses to ransomware attacks, and will share information on ransomware groups, including the accounts they use for ransom collection. The policy was announced during this week's International Counter Ransomware Initiative. Two information-sharing platforms will be created, one by Lithuania and the other jointly by Israel and the United Arab Emirates. These will share a blacklist, managed by the US Department of Treasury, of cybercurrency wallets being used to transfter ransomware payments.

The massive revenues collected by ransomware operators has been used to fund the development of new exploits and malware, creating a feedback loop that further increases their profitability. As a result, in recent years, ransomware has been the number one concern of CISO's globally. Security professionals generally agree that the only way to break this loop is to simply refuse to pay any ransoms, a decision that must weigh heavily on organizations that necessarily process personal - especially sensitive personal - information. When such organizations refuse to pay an extortion demand from an operator which has exfiltrated personal information, the extortionists will often turn their focus to the individual victims, as happened last week to the parents of children in the Clark County (Las Vegas) school district.

One option that is perennially raised is that governments should make ransomware payments illegal, a somewhat drastic step that would lift the moral burden of not paying off the affected organizations - but may well transfer the harm to the individual victims who usually have absolutely no responsibility for a breach. At the International Counter Ransomware Initiative meeting, forty countries pledged never to pay a ransom to cybercriminals, although this seems to apply to the governments themselves.

Clearly, the best option by far is to never fall victim to a ransomware attack in the first place - something that is obviously much more easily said than done.

Hunnicutt, Trevor and Zeba Siddiqui, White House to share ransomware data with allies -source, Reuters, 31 October 2023. Available online at https://www.reuters.com/technology/white-house-share-ransomware-data-with-allies-source-2023-10-30/.

Siddiqui, Zeba, Alliance of 40 countries to vow not to pay ransom to cybercriminals, US says, Reuters, 1 November 2023. Available online at https://www.reuters.com/technology/alliance-40-countries-vow-not-pay-ransom-cybercriminals-us-says-2023-10-31/.

Wootton-Greener, Julie, Some CCSD parents get suspicious email with information about their kids, Las Vegas Review-Journal, 26 October 2023. Available online at https://www.reviewjournal.com/local/education/some-ccsd-parents-get-suspicious-email-with-information-about-their-kids-2928929/.

Arid Viper Spreads Android Malware Disguides as Dating App

Just a couple of days ago we reported on the activities of the Hamas-aligned hacktivist group, Arid Viper. Cisco Talos now reports that the group has been running an 18-month campaign which targets Arabic-speaking Android users with malicious .apk (Android package) files.

Curiously, the malware is very similar to an apparently legitimate online dating application referred to as "Skipped", e.g. "Skipped - Chat, Match & Dating", specifically using a similar name and the same shared project on the app's development platform. This suggests that Arid Viper is actually behind the dating app, or somehow gained unauthorized access to its development platform. However, Skipped is only one of many linked fake dating apps for both Android and iOS, including VIVIO, Meeted and Joostly, suggesting that Arid Viper may make use of these apps in future campaigns. Arid Viper is known to have used similar "honey trap" tactics on Android, iOS and Windows in the past.

Under the covers, the malware uses Google's Firebase messaging platform as a C2 channel, and has the ability to gather system information, exfiltrate credentials, record, send and receive calls and text messages, record contacts and call history, exfitrate files, switch to a new C2 domain and also to download and execute additional trojanized apps.

Cisco Talos, Arid Viper disguising mobile spyware as updates for non-malicious Android applications, technical report, 31 October 2023. Available online at https://blog.talosintelligence.com/arid-viper-mobile-spyware/.

Surge in Office Add-ins Used as Droppers, Reports HP

In their Threat Insights Report for Q3 of 2023, HP Wolf Security reports a surge in the use of Excel add-in (.xlam) malware, which has risen from the 46th place in malware delivery file types in Q2 to 7th place in Q3. In many campaigns, the threat actors use an Excel add-in as a dropper, often carrying the Parallax RAT as a payload. The victims were lured into opening malicious email attachments containing Excel add-ins claiming to be scanned invoices, generally sent from compromised email accounts.

When the victim opens the attachment, it runs the Excel xlAutoOpen() function, which in turn makes use of various system libraries as a LOLbin strategy, making it harder for static analysis to flag the add-in as malware. The malware starts two threads: one creates an executable file called lum.exe and runs it, while the other creates a decoy invoice called Invoice.xlsx and opens it to distract the user. Meanwhile, lum.exe unpacks itself in memory and then uses process hollowing to take over another process. It also creates a copy of lum.exe in the AppData Startup folder to achieve persistence.

The malware itself is Parallax RAT, which can remotely control the infected PC, steal login credentials, upload and download files, etc. It requires no C2 infrastructure or support, which makes it easy for novice cybercriminals, can can be rented for only $US65 per month via the hacking forums where it is advertised.

Other tactics observed by HP's researchers include using malicious macro-enabled Powerpoint add-ins (.ppam) to spread XWorm malware and a campaign in which a threat actor lured novice cybercriminals into installing fake RAT's, thereby getting them to infect themselves with malware. Honestly, is there no honour among thieves any more?

HP Wolf Security, Threat Insights Report, Q3 - 2023, technical report, October 2023. Available online at https://threatresearch.ext.hp.com/hp-wolf-security-threat-insights-report-q3-2023/.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink