Les Bell and Associates Pty Ltd

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Twitter/X Collects More Personal Data

As Elon Musk plans to expand X - the social network formerly known as Twitter - into a do-everything social network, the platform has revised its privacy policy to reflect its plans to collect additional personal data from and about its users.

Musk has approvingly eyed the social networks in China for some time, and his acquisition of Twitter was apparently the first move in a plan to replicate their success. WeChat, in particular, combines instant messaging, voice messaging, social media, video conferencing, video games, location sharing and - perhaps of most interest to Musk - mobile payment, in the form of Weixin Pay. Despite the fact that WeChat, or Wexin, as it is known in China, shares user activity and tracking information with Chinese authorities, the app is hugely popular, with many users barely using anything else.

Perhaps remembering his early involvement in PayPal, Musk would like to expand 'X' to incorporate mobile payment functionality, if not a full marketplace. This will, of course, require stronger authentication, and so the platform has amended its privacy Policy (at https://twitter.com/en/privacy) to state, "Based on your consent, we may collect and use your biometric information for safety, security, and identification purposes". However, the company has not stated what types of biometric data could be collected - facial scans? Iris scans? Fingerprints? - or what they would be used for.

And perhaps eyeing the success of LinkedIn, another clause states:

Given the cutting back ot Twitter's online safety and security teams, many users will view these additions with some concern.

Threat Actor Turns Object Store Into Backdoor

A new exploit chain discovered by Security Joes Incident Response team links some recent vulnerabilities in order to trojanize the MinIO object storage application and turn it into a backdoor, allowing full control over victim systems.

Many cloud services - which tend to be written in object-oriented languages - need to store unstructured data of various kinds, and so such data stores are a common feature of cloud providers. Examples include Amazon's S3, Azure Blob (Binary Large object) Storage and Google Cloud storage. These services provide API's which allow objects to be directly persisted, as opposed to using an object-relational mapping layer to store and object across multiple tables of a relational database.

However, apart from the major cloud service providers' offerings, there are alternatives - among them MinIO, an open-source high-performance distributed object storage system for the Linux platform, which provides both a RESTful API and a command line interfaces. In the case highlighted by Security Joes, their MDR team observed a MinIO application executing a series of bash commands and trying to use curl to download Python scripts from external servers.

Closer investigation revealed that the MinIO binary was not the genuine code - rather, it had ben trojaned to add extra code which would receive and execute commands via HTTP requests. Analysis of the code, coupled with a search of external repositories showed that it came from a GitHib project named 'evil_minio'. According to its maintainer, this modified version performs just like the genuine MinIO but adds a backdoor that can be accessed by adding the desired command to an 'alive' parameter in the URL:

http://vulnerable.minio.server/?alive=[shell_command]

Almost no effort is required to use this - in fact, the project maintainer has documented it extensively in a PDF!

The question then became, how did this trojaned version of MinIO get installed? The answer lies in two vulnerabilities:

• CVE-2023-28432 - an information disclosure vulnerability which reveals the values of environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD
• CVE-2023--28434 - a vulnerability which allows crafted requests to bypass metadata bucket name checking and place an object into any bucket while processing PostPolicyBucket

And so installation of the trojaned version is achieved by first, obtaining the admin credentials using CVE-2023-28432 via a POST request to /minio/bootstrap/v1/verify, using these credentials to connect via a remote MinIO command line client and then triggering an update, pointing to an update repository controlled by the attacker (using a specific repository can be useful for installations which are behind a firewall).

From this point on, the trojaned MinIO installation backdoor can be used to connect to a C2 server, fetching and executing a variety of post-exploitation bash scripts which can, in turn, be used to profile the compromised system as well as performing network reconnaisance, among other tasks.

The Security Joes blog post provides comprehensive and detailed analysis, along with IOC's and a MITRE ATT&CK mapping of TTP's. The simplest mitigation is to upgrade any MinIO installation to RELEASE.2023-03-20T20-16-18Z or later.

Security Joes, New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services, blog post, 4 September 2023. Available online at https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Sydney University Discloses Data Breach

A third-party service provider to the University of Sydney has suffered a data breach affecting "a limited number of recently applied and enrolled international applicants’ personal data".  The breach was confined to a single platform, and has not affected other university systems; the University claims that there is no evidence that any personal information has been misused, although experience shows that such statements often have to be revised over time.

So far, it appears that no data relating to domestic students, staff, alumni or donors has been affected, and the University is working to contact impacted students and applicants.

This incident is just the latest to affect a university, as the education sector - and its third-party providers - becomes an increasingly popular target.

University of Sydney, Cyber incident, web page, 30 August 2023. Available online at https://www.sydney.edu.au/about-us/governance-and-structure/cybersecurity/cyber-incident.html.

MS SQL Servers Targeted With Ransomware

Researchers from the Securonix Threat Research team have identified a campaign which targets Internet-exposed Microsoft SQL Server systems by brute forcing a login. After gaining access, the attackers immediately enumerate the database, in particular searching for other login credentials by using SQL statements like

SELECT name FROM sys.sql_logins WHERE name IS NOT NULL

Upon discovering that the xp_cmdshell stored procedure was enabled (!), the attackers used it to run commands such as wmic, whoami, net use, etc., on the underlying machine in order to enumerate system and user information.

Next, in order to secure persistent access, the attackers created several user accounts in the administrators group, then made a number of changes to enable RDP access, disabled the system firewall and mounted a remote shared drive using the SMB protocol, allowing them to transfer files and install their tools. From there, they installed the AnyDesk remote desktop program to provide an additional access mechanism.

This was followed by the installation of a port scanner to enumerate the local network and credential dumping using Mimikatz. In the case analyzed by Securonix, the threat actor seems to have decided the local network was not worth further exploration, and they dropped a modified variant of the Mimic ransomware, which sets about identifying and encrypting target files before leaving a ransom note in a text file.

The Securonix researchers dubbed this ransomware variant "FreeWorld", and the campaign itself DB#JAMMER. Their report maps the various stages of the attack to the MITRE ATT&CK matrix, and also provides IOC's and suggested mitigations.

Iuzvyk, D., T. Peck and O. Kolesnikov, Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware, blog post, 1 September 2023. Available online at https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Open Source Stealer Catches On Quickly

Black hats everywhere got a very nice present last Christmas with the publication on GitHub of the code for a versatile infostealer called SapphireStealer. It didn't take long for a variety of threat actors to latch on to this gift, downloading it and tinkering with the code to add functionality as well as to add detection-evasion features. By mid-January 2023, modified binaries were being uploaded to public malware repositories, and by now multiple threat actors have adopted SapphireStealer, continuing to adapt and improve its capabilities.

Now, researchers at Cisco Talos have provided an analysis of this increasingly popular black hat tool. Sapphire Stealer was written for the .NET platform and initially offered some basic functionality, such as capturing host information (IP address, hostname, OS and CPU architecture, etc.), screenshots, cached browser credentials and exfiltrating a variety of filetypes under the user's Desktop folder. It specifically targets Chromium-based browsers, killing their processes and then searching for their credential databases before taking a screenshot and creating a zipfile of this data, plus any files it finds.

The data is actually exfiltrated by using the SMTP protocol to send it via mail.ru, using embedded credentials - after all, if you can compile the source code, this eliminates any need for separate configuration files. However, later samples created by other threat actors use a variety of exfiltration methods including a Discord webhook API and Telegram channels, and also target a variety of additional filetypes. The code has also been refactored to make it more efficient.

However, the use of hardcoded SMTP credentials can leak information about the threat actors themselves - the Cisco Talos researchers were able to identify one hacker who rather sloppily seems to have used a personal email account which, matched with other clues in the source, led to his identification as a Russian freelance web developer. Tsk, tsk.

Brumaghin, Edmund, SapphireStealer: Open-source information stealer enables credential and data theft, blog post, 31 August 2023. Available online at https://blog.talosintelligence.com/sapphirestealer-goes-open-source/.

Light Bulbs Leak Credentials

While many smart home devices connect via the Zigbee low-bandwidth mesh network protocol, this involves the use of a gateway between the owner's wifi network and the Zigbee network - an additional expense which some manufacturers try to undercut by putting their devices directly on the 802.11 wi-fi network. This cuts costs, but it means that an attacker can use conventional tools and techniques to attack such devices and then potentially pivot, using them to attack more valuable targets on the wifi network. And this is a real problem because IoT devices are notorious for having vulnerabilities in their firmware, making them an ideal pivot point for attackers.

A classic example comes by courtesy of three researchers at the University of Catania in Italy and Royal Holloway, University of London. In a paper published in the Proceedings of the 20th International Conference on Security and Cryptography, they pretty much demolished the security of the Tp-Link Tapo Smart Wi-Fi Light Bulb, Multicolor (L530E), discovering four very basic vulnerabilities (the kind that would get my cryptography students a sharp comment in assignment feedback).

Like many such devices, the light bulb must first be joined to the user's wi-fi network. On first being powered up, the bulb operates as an access point with its own SSID of Tapo Bulb XXXX, and the user then connects their smartphone to this AP, using the Tapo app to provide the real network SSID and passphrase/key. The problem is that this transaction is almost completely unauthenticated, allowing an attacker to masquerade as a lightbulb and capture the owner's network credentials. This vulnerability garners a CVSS score of 8.8, i.e. high severity.

Such authentication as there is, is based on a keyed hash, which uses a hard-coded 32-bit key - and by capturing just one genuine message exchanged by a bulb with the Tapo app, this can be extracted via a brute-force offline attack in just over a couple of hours. (CVSS score: 7.6, high severity).

The third vulnerability is a classic of its type: the use of AES-238-CBC, i.e. cipher block chaining mode, with the same initialization vector for every message (CVSS score: 4.6, medium severity). And to complete the picture, the protocol is vulnerable to replay attacks, since there is no use of message ID's, timestamps or nonces to ensure message freshness (CVSS score: 5.7, medium severity).

The researchers responsibly disclosed these vulnerabilities to Tp-Link, of course, and the company is working on updated firmware for the bulbs. Meanwhile, the work experience kid or summer intern who wrote the code has presumably signed up for a cryptography class next semester.

But all this serves as a reminder: IoT devices and the vulnerabilities they bring with them can pose a severe risk to other devices on the same network. Placing devices like light bulbs and locks on a Zigbee network behind a gateway adds an extra level of security as well as additional benefits like increased range for external lights.

Binaventura, Davide, Sergio Esposito and Giampaolo Bella, Smart Bulbs can be Hacked to Hack into your Household, Proc 20th Intl. Conf. on Security and Cryptography, pp, 218-229. Available online at https://arxiv.org/abs/2308.09019.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

NCSC Warns of AI Chatbot Prompt Injection Attacks

AI chatbots, which use generative transformers to extract information from pre-trained large language models (LLM's), are very sensitive to the format of the prompts which are used to qury them. Increasingly, however, such chatbots are being integrated into a variety of products and services - some for internal use within organizations, and some for use by customers. And because some of the behaviours exhibited by these chatbots are unpredictable - think of 'AI hallucinations' which have caused LLM's to reference non-existent research papers or cite non-existent law cases - they are ripe for exploitation by creative hackers willing to experiment with prompts.

One problem is that LLM's are unable to distinguish between an instruction and data provided to help complete the instruction. This could, hypothetically, be exploited by an attacker who constructs an invoice or transaction request, with the transaction reference hiding a prompt injection on the LLM underlying the recipient's bank's AI chatbot. Later, when the recipient asks the chatbot, "Am I spending more this month?", the LLM analyses this month's transactions, encounters the malicious transaction and transforms this into a request to transfer funds to the attacker's account. Although this example is hypothetical, similar attempted attacks have been seen in the wild.

Over the years, we have developed a good understanding of SQL Injection, command injection and other injection attacks. But since LLM-based chatbots are intended to interact using natural human language, simple syntax-based input sanitzation techniques are unlikely to work without rendering the chatbot near-useless. We need to dig deeper into the semantic processing performed by transformers in order to make chatbots resistant to prompt injection; the problem is not dissimilar to making human users resistant to social engineering.

C, Dave, Exercise caution when building off LLMs, blog post, 30 August 2023. Available online at https://www.ncsc.gov.uk/blog-post/exercise-caution-building-off-llms.

NCSCand Partners Analyze Infamous Chisel Malware

In other news from the NCSC, it - along with a number of five eyes partners - has released a malware analysis report on the Infamous Chisel mobile device malware. Infamous Chisel, which targets Android devices is associated with the Sandworm threat actor group, which is linked to the Main Centre for Special Technologies (GTsST) within the GRU, Russia's military intelligence service.

In essence, Infamous Chisel is a collection of components which enable persistent access to an infected device via a backdoor over the Tor onion routing network or via SSH, while periodically collecting and exfiltrating victim information, such as device configuration, and files, either of commercial interest or from applications which are specific to the Ukrainian military. It can also scan the local network, gathering information about active hosts, open ports and banner messages.

The 35-page report provides a detailed analysis of the various components and IOC's, which are also available in STIX JSON and XML formats via CISA:

• AR23-243A STIX in JSON format: https://www.cisa.gov/sites/default/files/2023-08/AR23-243A%20Infamous%20Chisel%20Malware%20Analysis%20Report.stix_.json
• AR23-243A STIX in XML format: https://www.cisa.gov/sites/default/files/2023-08/AR23-243A.stix_.xml

NCSC, Infamous Chisel: Malware Analysis Report, report, 31 August 2023. Available online at https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/infamous-chisel/NCSC-MAR-Infamous-Chisel.pdf.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Another 'Good Hacking' Case Reported

In the cybersecurity world, we view risk as being all downside - but risk professionals will tell you that the inherent uncertainties sometimes work in your favour and produce favourable outcomes. The speculative risk in investments provide a good example: occasionally, a stock takes off for some reason, and you make a windfall. There aren't many such cases in our field, but it sometimes happens - for example, I've received vulnerability reports from unknown white - or, possibly grey - hats, tipping me off before a black hat discovered them.

Now, echoing yesterday's report of the FBI's stealthy distribution of a tool to disable the Qakbot malware, comes news of another hack-the-hackers exploit.

For some years, a piece of Portuguese-language phone spyware called WebDetetive has been implanted on the phones of victims in South America, generally manually, by someone known to the victim, and who knows the phone's passcode. Once installed, the spyware disguises itself by changing its icon, and then sets about uploading messages, call logs, phone call recordings, photos, ambient microphone recordings and precise location data to the WebDetetive servers. Whoever installed the spyware can now surveil the victim - which is why this type of spyware is often referred to as 'stalkerware'.

However, unnamed hackers recently identified several vulnerabilities which allowed them to compromise WebDetetive's servers and access its user database. Further exploiting the product's dashboard, which the stalkers use to surveil their victims, the hackers were able to download every dashboard record, including every customer's email address.

Using the dashboard, the hackers were also able to delete victim devices from the spyware network, preventing them from uploading further data. "Which we definitely did. Because we could. Because #fuckstalkerware", wrote the hackers in an undated note included among 1.5 GB of data scraped from the spyware's dashboard. This data included information about each customer - the IP address they had logged in from, their purchase history and also details of every device that customer had compromised, including the spyware version number and the types of data being collected. Importantly, the data did not include any data stolen from the victims' phones.

The data was indexed by DDoSecrets (https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets), who shared it with TechCrunch for analysis, revealing that 74,336 unique customer email addresses had used the spyware to compromise 76,794 victim phones.

The breach puts WebDetetive's management in a tough spot. Will they notify their customers of the breach, assuming they still have records to do so? Email enquiries sent by TechCrunch got no response. But a lot of phone users, particularly victims of domestic violence and abuse, can breath a little easier.

Whittaker, Zack, A Brazilian phone spyware was hacked and victims’ devices ‘deleted’ from server, TechCrunch, 27 August 2023. Available online at https://techcrunch.com/2023/08/26/brazil-webdetetive-spyware-deleted/.

Qakbot Advisory

Speaking of Qakbot, as we were just yesterday, CISA and the FBI have released a joint Cybersecurity Advisory to disseminate the IOC's discovered and used in the FBI takedown, along with recommendations for mitigation. There's quite a lot of useful detail in the 9-page advisory, including an overview of the botnet's three-tier C2 infrastructure and a mapping to the MITRE ATT&CK framework.

CISA, Identification and Disruption of QakBot Infrastructure, cybersecurity advisory, 30 August 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a.

Mozilla Security Updates

The Mozilla Foundation has released security updates to address vulnerabilities in:

• Firefox 117 (https://www.mozilla.org/en-US/security/advisories/mfsa2023-34/)
• Firefox ESR 115.2 (https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/), and
• Firefox ESR 102.15 (https://www.mozilla.org/en-US/security/advisories/mfsa2023-35/)

You know what to do - end users, choose Help -> About Firefox in the menu and let the update download, while admins who redistribute the browsers in their organizations should get ready to roll out the new versions.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

FBI Takes Down Qakbot

The US DoJ and FBI have announced their successful disruption of the long-running Qakbot malware botnet in an international operation called "Operation Duck Hunt".

Qakbot appeared in 2008, initially as a banking trojan, but in the years since then has evolved, thorugh continual updates, into a general-purpose trojan dropper or second-stage loader used by multiple threat actor groups as a remote access trojan; its modular design provides remote code execution, the ability to install ransomware, keystroke logging and other functions. It can also be classified as a worm, since it can propagate itself to other systems on a network. Over the years, it has proved popular with ransomware gangs such as REvil, ProLock, ALPHV/BlackCat and Lockbit, who use it in their big game hunting.

Threat actors have usually obtained initial access by using malmail phishing campaigns; their emails carry malicious files - sometimes MS Office documents with malicious macros, but also archives such as ISO images - which the victim is lured into opening and running. This then injects the Qakbot code into a the memory of a legitimate process, in order to evade detection.

The FBI operation, which was conducted with international partners in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom, involved accessing the Qakbot C2 infrastructure; this allowed the identification of over 700,000 Qakbot-infected computers worldwide, including over 200,000 in the US. The Qakbot botnet traffic was then redirected to servers controlled by the FBI.

Now comes the "clever" part: in conjunction with technical partners, the FBI developed an uninstaller program for Qakbot, and their servers instruced the infected computers to download and run the uninstaller. The uninstaller consists of shellcode to unpack a custom DLL which sends a QPCMD_BOT_SHUTDOWN command via a named pipe which Qakbot uses for interprocess communications. This has the effect of shutting the Qakbot main thread and exiting the process in such a way that it will not restart after a reboot.

Many users will have been unaware that their systems had been infected, and the FBI's removal process is similarly invisible, so possible victims should check with services like https://haveibeenpwned.com/ to discover whether they were affected.

This operation has significantly disrupted the Qakbot botnet, but no arrests have been made, so its operators will doubtless be back with a new generation of their malware. In the meantime, the way the FBI invisibly distributed their uninstaller program is bound to renew debate about the ethical basis of the no-longer-quite-so-hypothetical 'good virus' approach to defeating malware. The argument used to be that users should be in control of every piece of code that runs on their system, but the complexity and opacity of todays operating systems and applications means that that particular horse bolted from the stable years ago.

Office of Public Affairs, US Department of Justice, Qakbot Malware Disrupted in International Cyber Takedown, press release, 29 August 2023. Available online at https://www.justice.gov/opa/pr/qakbot-malware-disrupted-international-cyber-takedown.

Federal Bureau of Investigation, FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown, news release, 29 August 2023. Available online at https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown.

Secureworks, Law Enforcement Takes Down Qakbot, blog post, 29 August 2023. Available online at https://www.secureworks.com/blog/law-enforcement-takes-down-qakbot.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Authentication Vulnerability in Azure Active Directory

A key benefit of the federated identity management systems provided by cloud service providers like Google and Microsoft is the ability to authenticate to cloud applications without having to maintain credentials on all of them. To do this, the identity provider - in the case of Microsoft, this is Azure Active Directory - authenticates the user once, and then the user allows the relying party to obtain an authentication token from the identity provider.

This process involves the use of RESTful API's to pass the necessary messages among the parties. When a web service requests authorization for a user from the identity provider, it does so by calling an API, but the operation is not synchronous - rather, it registers an API URL which the identity provider will, in turn, call back, and this will run code which completes the authentication or login process in the web service. This API is called a reply URL or callback URL. A lot of cloud services work this way, as do widely-used web sites such as newspapers and magazines which integrate with cloud identity providers.

Now, researchers at Secureworks Counter Threat Unit have discovered a vulnerability which allows threat actors to redirect these reply URL's, and receive the authorization tokens which they can then exchange for access tokens and, eventually, achieve a privilege escalation attack.

The vulnerability was first observed early this year in an Azure AD API used by Microsoft's Power Platform - a low-code application development framework - and worked via an abandoned reply URL. Secureworks reported it to Microsoft, who confirmed the vulnerability, assigned it a critical severity rating, and promptly removed the abandoned reply URL API. But the researchers asked themselves the obvious question: are there other abandoned reply URL API's in Azure AD applications which could be similarly exploited.

After developing a scanner which would search for abandoned reply URL values and confirm if they were available for registration, they had their answer: yes, there were. The exploit itself is quite involved, so I won't get into the details here; the Secureworks blog post does a good job of that. But the researchers found an abandoned Dynamics Data Integration app reply URL, associated with the Azure Traffic Manager profile, which was pre-consented and therefore required no additional consent to stage the attack.

The researchers reported the vulnerability to the Microsoft Security Response Center, who immediately investigated and released an update the following day. However, this entire saga illustrates the dangers posed by outdated and abandoned API's. It's important for developers and operations personnel not just to focus on deployment of new API's, but also to include a procedure for retirement of the old ones.

Counter Threat Unit Research Team, Power Platform Privilege Escalation, threat analysis, 24 August 2023 (updated 28 August 2023). Available online at https://www.secureworks.com/research/power-platform-privilege-escalation.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

BitLocker Broken Using Cheap Logic Analyzer

One of the most common - and, generally, most effective - safeguards for mobile devices such as laptop computers is the use of encrypted filesystems such as BitLocker, Veracrypt and others. And, of course, to protect the encryption key used for an encrypted volume, the best option would be to store it, not on the disk itself, but in the Trusted Platform Module.

This is the way that BitLocker works; the BitLocker partition on a laptop is encrypted using a Full Volume Encryption Key, which is itself encrypted using the Volume Master Key and then stored on the disk, next to the encrypted data. The Volume Master Key is sealed in the TPM chip, and only unsealed when the system is booted.

Now, pen tester and security engineer Guilaume Quéré has demonstrated a fairly simple and inexpensive attack which extracts the Volume Master Key as it is transferred over the laptop SPI (Serial Peripheral interface) bus from the TPM to the CPU. Quéré accomplished this attack on a Lenovo L13 laptop, using a sub-$US100 logic analyzer, admittedly pushing it to its limits. The SPI bus has several lines, but the best the DSLogic analyzer can do is to sample three of them without exceeding its limits - but fortunately only the clock (CLK) and the two data lines (MOSI and MISO) are required. And rather than trying to connect to the tiny pins of the TPM chip, he was able to pick these signal lines of a larger nearby flash memory chip which is also on the SPI bus.

Once the logic analyzer was successfully capturing the signal, the next step was to decode the protocol used to transfer the VMK. In fact, there are three layers involved:

• SPI (the physical layer)
• TIS (TPM Interface Specification)
• TPM 2.0 (which carries the TPM commands and the VMK itself)

According to Quéré, it was the TIS layer that proved most challenging, perhaps because his captures did not include the SPI bus's CS (Chip Select) signal. In the end, Quéré resorted to manually decoding these frames. From there, he was able to identify the TPM_Unseal command in the TPM 2.0 frames, and then find the response, which comes around 10 ms later and carries the 256-bit Volume Master Key. From there, it was a simple matter of a few commands to mount the disk and bypass the BitLocker protection.

According to Quéré, the use of the TPM does not increase the security of the system as expected, especially since a more expensive, professional-grade logic analyzer - well within the budget of even moderately serious threat actors - would have saved a lot of time and simplified the attack. Currently, the best safeguard will be to set a passphrase or PIN on BitLocker; in the longer term, integration of the TPM onto the CPU die will mean that the communication between them is not externally exposed.

Quéré, Guillaume, Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop, blog post, undated. Available online at https://www.errno.fr/BypassingBitlocker.html.

Rowntree, Dave, Bypassing Bitlocker With A Logic Analzyer, Hackaday, 25 August 2023. Available online at https://hackaday.com/2023/08/25/bypassing-bitlocker-with-a-logic-analzyer/.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Credential Abuse Our Biggest Problem, Says Sophos

In their mid-2023 Active Adversary Report for Tech Leaders, Sophos provide some interesting food for thought. Based on data summarized from the firm's incident response investigations for the first half of this year, the goal is to provide better insight on changes in the threat landscape.

Perhaps the most significant finding is that the initial access techniques favoured by threat actors have changed. As before, attackers exploited external remote services (such as VPN's and gateways to Citrix servers, etc.) and public-facing applications, including email gateways (Exchange - we're looking at you). However, they are no longer primarily exploiting vulnerabilities to do this but rather compromising credentials - vulnerabilities lay at the root of only 23% of exploitations, while compromising account credentials accounted for 50%. Furthermore, having access to a legitimate account makes it easier for an intruder to evade detection. (Only yesterday we mentioned the Cyber Safety Review Board report on Lapsus$ and related attacks; Lapsus$ used quite simple social engineering techniques to obtain credentials, very successfully.)

The obvious implication for defenders is that there is enormous return on a minimal investment to be had in the deployment of multi-factor authentication. Sophos state that MFA was not configured in 39% of the cases examined for their report - and as confirmation of the effectiveness of strong, phishing-resistant MFA, they observe that one of the very latest social-engineering tactics is texting to encourage the recipient to disable their Yubikey.

The decline in the successful exploitation of vulnerabilities does not mean that rapid patching is less necessary, however - in fact, it might reflect the fact that we are getting better at it. Sophos point to the US Government's Binding Operational Directive 19-02, which states that:

• Critical vulnerabilities must be remediated within 15 calendar days of initial detection
• High vulnerabilities must be remediated within 30 calendar days of initial detection

This has prompted US Government agencies to improve their patch management, and this is reflected in CISA's 2022 Risk and Vulnerability Assessments, which found that only 1% of initial access attacks were due to exploits - but compromised credentials were responsible for 54%. Are we seeing the pattern here?

In Sophos' previous report, just two vulnerabilities accounted for 55% of exploits investigated: ProxyShell and Log4Shell, both of which already had patches released. In the FHY 2023 data, there were no Log4Shell exploits, but ProxyShell lives on, along with a few other vulnerabilities which had been patched in 2020 and even 2019. There is obviously still scope for a lot more improvement in patch management.

The Sophos report provides other insights which are, at first glance, more comforting - for example, dwell times (the delay between exploitation and detection) is falling. But looking more deeply into this, it's actually bad news: the dwell time for ransomware has fallen from 9 days to 5 days, as its operators exfiltrate data more quickly before encrypting files, making the infection obvious, while the dwell time for non-ransomware incidents has risen slightly, from 11 days to 13 days.

There's more bad news for Windows network admins, although they probably know it already: after gaining initial access, threat actors are pivoting more quickly than ever to exploit Active Directory servers, which give them greatly enhanced capabilities within networks, including the ability to manipulate accounts and policies throughout the domain. They also continue to exploit RDP (Remote Desktop Protocol) to move laterally - in fact, it was used in 95% of attacks, up from 88% in 2022.

There's a lot more to digest in the Sophos report: it discusses exfiltration techniques, the various types of attacks (ransomware, network breaches, extortion and exfiltration, web shells, denial of service, etc.) and the times and weekdays thy are run, as well as attribution to various threat groups. Much to consider, from a strategic threat intelligence perspective.

Shier, John, Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders, technical report, 23 August 2023. Available online at https://news.sophos.com/en-us/2023/08/23/active-adversary-for-tech-leaders/.

New Release of Security Onion

Many of us are running a security operations center on a tight budget, and a favourite tool is Security Onion, an open-source SOC platform which has had over 2 million downloads. Security Onion integrates well with the Elastic stack, and offers signature-based detection via Suricata, protocol metadata and file extraction using Zeek or Suricata, packet capture via Stenographer and file analysis via Strelka.

The preview version 2.4 Security Onion Console has a number of new features:

• add a value directly from a record in Hunt, Dashboards, or Alerts as an observable to an existing or new case
• a new DNS lookup capability
• pivots for relational operators on numbers
• Cases support dynamic observable extraction
• import of PCAP and EVTX files

Among the many new admin features in the SOC Administration interface:

• user management
• a new Grid Members Interface to manage adding and removing nodes
• Configuration interface for most aspects of deployment
• Grid interface has been improved to show more status information about your nodes
• a simplified installer
• new members of the grid are now configured in the Grid Members interface
• SOC authentication has been upgraded to include additional authentication protections, such as rate-limiting login requests and support has been added for passwordless login via Webauthn

In addition, the ISO image has been updated from the aging CentOS 7 to Oracle Linux 9. Security Onion is available at https://github.com/Security-Onion-Solutions/securityonion, and the 2.4.10 release can be found at https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/DOWNLOAD_AND_VERIFY_ISO.md.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

---

Lapsus$ Hacker Finds Out

As we reported back in September last year, a Oxfordshire teenager was arrested on suspicion of being a key player in attacks on Rockstar Games and Uber. The teenager, now 18, has been identified as Arion Kurtaj, a key member of the Lapsus$ ransomware gang who, along with other teenagers in the UK and Brazil, conducted social engineering and more technical lateral movement exploits in extortion attacks on Rockstar, Uber, Microsoft, BT, Nvidia and Cisco, among others. Along with another 17-year-old (who is still 17, and therefore cannot be named), Kurtaj was charged with counts of blackmail, fraud and offences under the UK's Computer Misuse Act.

Back in July, psychiatrists assessed Kurtaj as autistic and deemed him not fit to stand trial; however, a trial of the other teenager was commenced, during which the jury was asked to determine whether or not he had done the acts alleged, but not whether he did them with criminal intent. They found that he had. The other teenager was found guilty.

Both defendants were unable to resist the temptation to engage in cybercrime. Despite being arrested in January 2022, upon their release they breached Nvidia's systems, using a hired accomplice to call the company's help desk to obtain credentials. They also used MFA push fatigue attacks in order to get employees to verify their logins. They were re-arrested in late March 2022, but upon his release, Kurtaj broke his bail conditions by going online again - in fact, a few weeks after the City of London Police arrested and then released him, he accessed that police force's cloud storage.

So effective were the teenagers that the US DHS ordered its Cyber Safety Review Board to examine and report upon their attacks; their report was released earlier this month, with a number of key recommendations, including a move away from voice and SMS-based MFA in favour of phishing-resistant FIDO-compliant MFA methods.

The teenagers' alleged Brazilian accomplice was arrested in October and will doubtless stand trial in that jurisdiction. Despite the fact that Kurtaj was not fit to stand trial, and did not give evidence, he is remanded in custody and both he and the unnamed teenager will be sentenced by Her Honour Judge Lees at Southwark Crown Court at a later date.

City of London Police, On the evening of Thursday 22 September ..., tweet, 23 September 2022. Available online at https://twitter.com/CityPolice/status/1573281533665972225.

Tidy, Joe, Lapsus$: Court finds teenagers carried out hacking spree, BBC News, 23 August 2023. Available online at https://www.bbc.com/news/technology-66549159.

Uncredited, Cisco Talos shares insights related to recent cyber attack on Cisco, blog post, 11 September 2022. Available online at https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html.

Cyber Safety Review Board, Review of the Attacks Associated with Lapsus$ and Related Threat Groups, technical report, 24 July 2023. Available online at https://www.cisa.gov/resources-tools/resources/review-attacks-associated-lapsus-and-related-threat-groups-report.

---

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.