Les Bell

News Stories

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

Targeted Ransomware Attacks on South Korea

South Korean manufacturing, pharmaceutical and healthcare companies are being targeted by Linux and Windows ransomware which will lock up files including VMware ESXi virtual machines. The GiswinLocker ransomware is produced by an otherwise-unidentified threat actor with a good knowledge of South Korean business - the attacks occurred on Korean public holidays and in the early hours of the morning. "Gwisin" means "ghost" in Korean.

The ransom note text files left behind include a lot of very specific information, including the victim company name and the types of data stolen, indicating a highly targeted attack.

Toulas, Bill, New GwisinLocker ransomware encrypts Windows and Linux ESXi servers, Bleeping Computer, 6 August 2022. Available online at https://www.bleepingcomputer.com/news/security/new-gwisinlocker-ransomware-encrypts-windows-and-linux-esxi-servers/.

Cheat Sheet Maps MITRE ATT&CK to Google Cloud Platform

MSSP Expel is offering a mind map cheat sheet which maps the MITRE ATT&CK framework to the services and API calls a threat actor would use at each stage of an attack in Google Cloud Platform. The 18-page map is useful to SOC analysts for incident response triage and investigations as well as to security architects designing instrumentation for SOAR.

It wouldn't be too difficult to re-map this approach to other cloud platforms like AWS and Azure. It's not a playbook, but a very useful adjunct.

Pellett, Kyle, A defender's MITRE ATT&CK cheat sheet for Google Cloud Platform (GCP), Expel Inc, 5 August 2022. Available online at https://expel.com/blog/mitre-attack-cheat-sheet-for-gcp/ (registration required for download).

Fixing Open Source Vulnerabilities At Scale

The fact that thousands of open source projects firstly, are open source and secondly, are hosted on public repositories like GitHub make it possible to use search tools like GitHib's code query language, CodeQL, to find common vulnerabilities across many projects and automate their reporting and fixing. Jonathan Leitschuh, inaugural Dan Kamitsky Fellow at HUMAN Security, has used his fellowship year to work on refining tools and methods for this process, and will be delivering a presentation on it at Black Hat in Las Vegas this week.

Given that open source components permeate not just the open source culture but also vast swathes of the proprietary code ecosystem, vulnerabilities in them can be devastating, as we have seen with the notorious Log4J vulnerability. This research could well have a massive payoff.

Chickowski, Ericka, We Have the Tech to Scale Up Open Source Vulnerability Fixes - Now It's Time to Leverage It, Dark Reading, 9 August 2022. Available online at https://www.darkreading.com/dr-tech/we-have-the-tech-to-scale-up-open-source-vulnerability-fixes-now-it-s-time-to-leverage-it.

Insurer Found Not Liable for Ransomware Remediation

The Federal Court of Australia has delivered a judgement in favour of the insurer in Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883. Inchcape had suffered a ransomware attack which had encrypted its primary server, deleted the primary and offsite (!?!) backups, spread to client machines and exfiltrated data, and had claimed for the costs of incident response and forensic investigations, the costs of replacing hardware, data recovery and the additional manpower requirements.

Their policy with Chubb had three separate agreements covering 1, computer systems fraud in general, 2, direct financial loss from computer virus and similar programs, and 3, direct financial loss resulting from the fraudulent modification of electronic data, electronic media or electronic instruction.

The case primarily hinged on whether the expression "direct financial loss resulting directly from" in the latter two agreements would include the incident response costs, hardware replacement, etc. or be limited to just the cost of actually reproducing the lost data, etc.

I have simplified this substantially - Justice Jagot's judgement lays out the questions in much greater detail. The reasoning is very restricted to the specific policy and circumstances, but is a useful reminder to have your corporate counsel review the fine print of your insurance policies. In particular, be aware that cyber insurance policies are designed to provide specific incident response expertise and covers those costs - what Inchcape had was a more general - but tightly worded - policy to cover the costs of data recovery only.

Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCA 883, Federal Court of Australia, 1 August 2022. Available online at https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2022/883.html.

Danish 7-Eleven Stores Closed Due to POS Attack

7-Eleven stores throughout Denmark were closed on Monday, due to an early-morning cyber attack on their checkout and point-of-sale systems.

There's a business continuity planning challenge here: keeping an old-fashioned cash register on hand is not going to be any use; since COVID-19 struck, almost everyone uses cashless, contactless, payment these days - in fact, credit cards are less used than smartphone payment systems.

Abrams, Lawrence, 7-Eleven stores in Denmark closed due to a cyberattack, Bleeping Computer, 8 August 2022. Available online at https://www.bleepingcomputer.com/news/security/7-eleven-stores-in-denmark-closed-due-to-a-cyberattack/.

Incident Response Delay Comes Back to Bite Experian

Credit reference company Experian suffered a major breach in July, due to really bad design of its account recovery processes. It appears that customers could regain access to locked accounts by simply recreating them on a different email address, using their name, address, phone number, social security number and answering a few questions based on publicly-available information.

Experian's real problem was that a couple of customers contacted security blogger Brian Krebs, who set out to replicate their experience and investigate further, publishing his findings. At this point, a major vulnerability was now public knowledge, but rather than moving rapidly to fix it, Experian downplayed the problem and claimed that additional controls would prevent account hijacking. Unfortunately, this was incorrect, and a number of people had their accounts hijacked.

Experian is now facing a class action for their failure to fix this issue, with the filing quoting liberally from the KrebsonSecurity article. It is doubtful if much will result from this, but it does illustrate the need to move quickly to really address vulnerability disclosure, rather than relying on crisis communications to manage public sentiment.

Krebs, Brian, Class Action Targets Experian Over Account Security, KrebsOnSecurity, 5 August 2022. Available online at https://krebsonsecurity.com/2022/08/class-action-targets-experian-over-account-security/.

Amazon Acquired iRobot - Here's Why

Last week, retail giant Amazon acquired iRobot Corp., maker of the best home appliance ever, the Roomba (as well as various other mopping, gutter-cleaning and other gizmos). Although Amazon does use Roomba-like gadgets in its warehouses (as does IBM, for temperature monitoring in the aisles of its data centers), and iRobot is a profitable business with lots of growth potential, these are perhaps not the real motivation for the acquisition.

It's about mapping the inside of your home. Amazon has big designs on being a smart-home company; its Echo smart speakers outsell their rivals, in part due to low pricing which Amazon will recoup through the devices' ability to directly order products from the company with minimal user effort. These smart speakers support a smart home ecosystem that can interact with lighting, security cameras, thermostats and much more. The company also sells tablets and streaming services, and has acquired grocery retailer Whole Foods, doorbell manufacturer Ring and wi-fi device manufacturer Eero.

But until now, Amazon hasn't known exactly where these gadgets were. Now, mapping data from the Roomba meandering from room to room will tell the company the size of your home, the layout of the rooms, the furniture layout, and much more. It's going to be interesting to see how privacy advocates and legislators respond to this.

Webb, Alex, Amazon's Roomba Deal Is Really About Mapping Your Home, Bloomberg, 6 August 2022. Available online at https://www.bloomberg.com/news/articles/2022-08-05/amazon-s-irobot-deal-is-about-roomba-s-data-collection.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.