Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Google Wins One, Loses One

Last year, the Australian Competition and Consumer Commission has found that Google breached Australian consumer law during 2017 and 2018 by telling Android users that the only Google account setting that they needed to change in order to stop the search giant collecting PII location data was the 'Location History' setting. Unfortunately, another Google account setting, 'Web & App Activity' also needed to be turned off - it was turned on by default.

Now the Federal Court has ordered Google to pay $60 million in penalties for this breach. Fortunately for Google, the offence occurred before the maximum penalty for breaches of Australian consumer law was increased - from November 2018 it was increased to the higher of $10 million, three times the benefit obtained from the alleged conduct or otherwise, 10% of turnover.

On the other hand, in an appeal to the High Court, Google's argument that a search engine is not a publisher was successful. The High Court overturned two previous rulings that Google was a publisher and by refusing to take down a link, was guilty of defaming a Melbourne lawyer. Google's argument was that a hyperlink only communicates that something exists or where it exists, and that it is the operator of the web page who communicates the content to the user. In a majority ruling, the High Court agreed: "The provision of a hyperlink in the Search Result merely facilitated access to the ... article and was not an act of participation in the bilateral process of communicating the the contents of that article to a third party".

ACCC Media Team, Google LLC to pay $60 million for misleading representations, media release, 12 August 2022. Available online at https://www.accc.gov.au/media-release/google-llc-to-pay-60-million-for-misleading-representations.

Byrne, Elizabeth, High Court finds Google is not a publisher in crucial win for search engine, ABC News, 17 August 2022. Available online at https://www.abc.net.au/news/2022-08-17/high-court-decision-google-not-publisher-george-defteros/101340622.

Secure Boot Loader Causes More Problems

We previously wrote about problems with the Windows secure boot process being subverted by some vendors' code. Unfortunately, it seems the cure is worse than the disease, for some users at least.

Last week's patch, KB5012170, added the signatures of the vendors' files to the Secure Boot Forbidden Signature database, which contains the UEFI revocation list. However, systems which do not have a valid bootloader will generate a 0x800f0922 error and fail to install the patch - fortunate for the user, as the system would not boot if the patch was applied.

Other users are reporting that after the patch is applied, Windows 11 PC's are booting to a BitLocker recovery screen - not a problem if the user has the recovery key, but unfortunately they almost never do. In well-managed environments, a domain administrator can recover the key from Active Directory Domain Services.

Windows 10 users are reporting other problems - slow boot times or their RAID mode being changed to AHCI in the firmware settings, triggering a Blue Screen of Death.

Speed, Richard, Microsoft's Secure Boot fix sends some PCs into BitLocker Recovery, The Register 15 August 2022. Available online at https://www.theregister.com/2022/08/15/bitlocker_microsoft/.

Millions of Realtek-based Network Devices Vulnerable

Researchers from Argentinian company Faraday Security have demonstrated proof-of-concept code to exploit a vulnerability they have discovered in the Realtek RTL819x system-on-a-chip (SOC). This chip is used in millions of networking devices such as routers.

Ilascu, Ionut, Exploit out for critical Realtek flaw affecting many networking devices, Bleeping Computer, 16 August 2022. Available online at https://www.bleepingcomputer.com/news/security/exploit-out-for-critical-realtek-flaw-affecting-many-networking-devices/.

Equifax Fallout Continues; SEC Charges Three

We have written previously about security governance requirements, and in particular the guidance issued by the SEC in February 2018, which seemed to have been triggered by their investigations of the infamous Equifax breach. The same incident continues to have repercussions, this time for a finance manager who worked at the public relations firm engaged by Equifax to assist with the breach, as well as her husband and his brother. The SEC alleges that upon learning of the breach, Ann M. Dishinger tipped off her husband, who arranged with a former business client to buy put options on Equifax on the understanding that they would split any profits realized. The SEC also alleges that he also helped his brother set up a similar arrangement with an old high school friend. These arrangements allegedly netted approximately $US108,000 in profits, split between the participants.

U.S. Securities and Exchange Commission, SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement, Litigation Releast No. 25470, 16 August 2022. Available online at https://www.sec.gov/litigation/litreleases/2022/lr25470.htm.

Chrome Zero-Day In The Wild

A vulnerability in the Chrome desktop browser, first publicly disclosed by Google Threat Analysis Group in July, now has an exploit circulating in the wild. CVE-2022-2856 is a case of insufficient validation of user input, and has Google has responded by pushing out an update, which also fixes ten other security flaws, mostly relating to free-after-use bugs in Chrome components.

Lakshamanan, Ravie, New Google Chrome Zero-Day Vulnerability Being Exploited in the Wild, The Hacker News, 18 August 2022. Available online at https://thehackernews.com/2022/08/new-google-chrome-zero-day.html.

Trojan Dropper Lives On, Thanks to Anti-Forensics

Researchers from Secureworks have done a deep analysis on a sophisticated trojan dropper called DarkTortilla which has been circulating since 2015, yet manages to still spread widely, dropping malware on behalf of a wide range of threat actors, due to its complex anti-forensics techniques.

DarkTortilla usually activates via targeted malmails containing infected attachments, often zip files and other archives, or ISO images. When the user double-clicks to open the contained document, they actually run the DarkTortilla initial loader. From there, the core component goes to work, but what it does is highly configurable, with the configuration controlled by bitmap images. It will typically check to see if it is running in a virtual machine or sandbox, set up registry keys so it can persist, migrate itself to the Windows %TEMP% directory, process any add-on files, and switch execution environment to its install directly. Once this is done, it injects and executes its main payload, taking additional steps to prevent interference with its various components.

Different threat actors will use DarkTortilla to deliver any of several different payloads - usually remote access trojans such as AgentTesla, NanoCore and AsyncRat, but also keystroke loggers and toolkits such as Metasploit and Cobalt Strike. Occasionally, it will deliver ransomware.

It is easy to see why this trojan dropper has lived so long - it's incredibly versatile and valuable to threat actors, and its sophisticated anti-forensics and configurability represent a considerable investment which is worth maintaining.

Counter Threat Unit Research Team, DarkTortilla Malware Analysis, Secureworks, 17 August 2022. Available online at https://www.secureworks.com/research/darktortilla-malware-analysis.

Lazarus Group Chases Crypto Via Job Seekers

North Korean threat groups notoriously pursue hard currency and crypto assets in an attempt to bypass sanctions, and Lazarus Group has recently been discovered targeting fintech job seekers using an infected PDF containing information about a job opening at exchange operator Coinbase.

While initial attacks infected Windows machines only, the latest variant also targets Mac users, with a malware payload signed with a certificate issued by Apple and possibly revoked by now.

Ilascu, Ionut, North Korean hackers use signed macOS malware to target IT job seekers, Bleeping Computer, 17 August 2022. Available online at https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-signed-macos-malware-to-target-it-job-seekers/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.