Cyberweekly #215 - Make things open, it makes things better
Published on Sunday, November 06, 2022
As annual reports often tell us, the speed and capability of cyber crime groups and bad actors on the internet is constantly increasing.
Red teamers, ethical hackers, and vulnerability researchers share their findings openly, and bad actors are increasingly taking advantage of that information sharing to build or improve offensive tools out of that information.
But we're getting better at sharing information as defenders and builders as well.
Those same annual reports give us the strategic context and often well validated numbers that can help justify cybersecurity programme spend. It can also give us information about what the changing trends are, and what things we need to be careful of.
Those reports consistently says that speed of patching is important, and we're increasingly getting to a level where it's almost impossible to get the patch, test the patch and roll it out across your infrastructure by hand. Instead we need automation and we need that knowledge of how well that patch is working to be shared in order to keep up.
But we also need to understand our own vulnerability. The new NCSC vulnerability scanning service is a great example of this. It's seeking to actually put numbers and science into the art of determining how vulnerable we actually are, and how quickly we can react to issues. And it's doing so openly, with clear documentation about how it's doing it, and why it's doing it, and I'd expect that we'll start to get some of the numbers and analysis out of the NCSC annual report next year.
Defenders who share information with one another help each other and that helps us all
Or as the Government Digital Service used to say: "Make things open, it makes things better"
- Cyberspace has become a battleground . Cyber is increasingly the domain of warfare, as seen in Russia’s use of malware designed to destroy data and prevent computers from booting in Ukraine. But Russia was not alone in its use of cyber operations to pursue strategic interests. In July 2021, the Australian Government publicly attributed exploitation of Microsoft Exchange vulnerabilities to China’s Ministry of State Security. And a joint Five-Eyes Advisory in November 2021 confirmed exploitation of these vulnerabilities by an Iranian state actor. Regional dynamics in the Indo-Pacific are increasing the risk of crisis and cyber operations are likely to be used by states to challenge the sovereignty of others.
- Australia’s prosperity is attractive to cybercriminals . According to a 2021 Credit Suisse report, Australia has the highest median wealth per adult in the world. In 2021–22, cybercrimes directed at individuals, such as online banking and shopping compromise, remained among the most common, while Business Email Compromise (BEC) trended towards targeting high value transactions like property settlements.
- Ransomware remains the most destructive cybercrime . Ransomware groups have further evolved their business model, seeking to maximise their impact by targeting the reputation of Australian organisations. In 2021–22, ransomware groups stole and released the personal information of hundreds of thousands of Australians as part of their extortion tactics. The cost of ransomware extends beyond the ransom demands, and may include system reconstruction, lost productivity, and lost customers.
- Worldwide, critical infrastructure networks are increasingly targeted . Both state actors and cybercriminals view critical infrastructure as an attractive target. The continued targeting of Australia’s critical infrastructure is of concern as successful attacks could put access to essential services at risk. Potential disruptions to Australian essential services in 2021–22 were averted by effective cyber defences, including network segregation and effective, collaborative incident response.
- The rapid exploitation of critical public vulnerabilities became the norm . Australian organisations, and even individuals, were indiscriminately targeted by malicious cyber actors. Malicious actors persistently scanned for any network with unpatched systems, sometimes seeking to use these as entry points for higher value targets. The majority of significant incidents ACSC responded to in 2021–22 were due to inadequate patching.
- Bug in the HTTP parsing function
- Allows changing a 0x0A byte into a 0x00 byte after the end of an allocation
- Difficult to exploit without an infoleak
- Only used to crash Connman quickly, to start with a clean heap after a restart of the service
- We only saw the exploitability of this bug at the end !
The scarcity of blue badge accounts on the platform, compared to the vast majority of Twitter's accounts that are unverified, has led to the "blue tick" being perceived by tweeters to be a vanity and status symbol.
In other scams, threat actors have hacked verified accounts to impersonate another person to mislead the public or to send Twitter users fake 'account suspension' DMs .
Musk has dissed the existing verification process as "Twitter's current lords & peasants system."
However, other than being a perceived "status symbol" perception by some, the blue badge is primarily intended to separate real, authentic accounts of notable people from copycat and parody accounts created by third parties—at least in theory.
The verification is therefore intended to limit misinformation in the sense that users can see a tweet originating from a verified account is authentic and didn't originate from someone impersonating a public figure.
In practice, however, results can vary as a hacked 'verified' account may continue to retain the blue badge even if the hacker changes the name, bio and profile picture on it, thereby making the presence of the badge futile to begin with.
Musk buying Twitter and the changes happening has been, rather naturally, all over Twitter for the last few weeks, and it’s been almost impossible to avoid.
But there’s also a lot of assumptions being made about users attitudes to information and the system. Do users perceive the blue tick as evidence of both authenticity of account and also independent truthfulness of the information? I suspect that most users of twitter are actually more canny than that and better consumers of information than we give them credit for.
In particular, if the verification process and system changes, then I think people will start to change their relationship with what they see from “verified users”. It will instead be an opportunity to see direct from the horses mouth of celebrities and the well-to-do.
Of course that comes with dangers, people will phish for verified credentials, and of course we’ll see verified users shilling cryptocurrency scams.
An espionage network working in secret. Intelligence agents planning on swaying world events in a covert operation. Hackers stealing controversial information. And an obscure client funding the entire project with hundreds of millions of dollars.
This is the story of a global secret operation.
An investigation by Swiss media SRF’s investigative team, “SRF Investigativ”, shows the details of how the state of Qatar had officials of world football spied on. And how critics of the upcoming World Cup outside of FIFA were targeted as well.
The ultimate goal of those efforts: to prevent Qatar from losing the World Cup bid after massive criticism was raised, when FIFA awarded the tournament to the authoritarian country in 2010.
Absolutely fascinating piece of journalism here. It’s difficult to tell with these kinds of stories how much is accurate and how much is taken from a very limited set of accesses, but what is there paints a picture of how one imagines that a national campaign of influence would be carried out
From ransomware operators like LockBit and BlackBasta to APTs striking for or against Russian or Chinese interests, threat actors of various stripes all need one thing to get their operations off the ground: initial access to an organization’s network.
Such access can be bought on a variety of trading forums from cyber criminals who specialize in running low-risk phishing campaigns and credential theft operations, or in scanning enterprise networks for known remote code execution (RCE) software vulnerabilities.
Because of the ease with which initial access can now be obtained thanks to poor patch management and lax controls over identity and user credentials, there exists a market where supply is outstripping demand, and vendors involved in selling initial access are lowering their prices in a race to the bottom, making it easier than ever before for threat actors to compromise organizations of all sizes and kinds.
The rise and rise of initial access brokers is something to keep an eye on. This feels like the next big direction for financially motivated actors.
The benefit for Initial Access Brokers is that they can specialise in the initial stages of compromise, but because they aren’t actually exfiltrating data, they’re at a much lower likelihood of getting caught and run far fewer risks, while continuing to make money.
The National Cyber Security Centre (NCSC), a part of GCHQ, is the UK’s technical authority for cyber security. Since 2016 it has worked to make the UK the safest place to live and work online and bring clarity and insight to an increasingly complex online world.
This Review of its sixth year reflects on highlights and milestones between 1 September 2021 and 31 August 2022, as well as looking ahead to future priorities and challenges.
As part of a national security agency, not all its work can be disclosed publicly but the review seeks to describe the year with insights and facts from colleagues inside and out of the organisation.
The NCSC’s annual review is out, and this one is filled with loads of useful statistics and strategic context.
Over the 2021–22 financial year, the deterioration of the global threat environment was reflected in cyberspace. This was most prominent in Russia’s invasion of Ukraine, where destructive malware resulted in significant damage in Ukraine itself, but also caused collateral damage to European networks and increased the risk to networks worldwide.
In Australia, we also saw an increase in the number and sophistication of cyber threats, making crimes like extortion, espionage, and fraud easier to replicate at a greater scale. The ACSC received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This equates to one report every 7 minutes, compared to every 8 minutes last financial year.
The ACSC identified the following key cyber security trends in the 2021–22 financial year:
In the face of rising threats to the digital-dependent Australian economy, cyber defence must be a priority for all Australians. The most effective means of defending against cyber threats continues to be the implementation of the Essential Eight cyber security strategies. To support this, the ACSC launched several new initiatives in 2021–22 to improve Australia’s cyber resilience, such as a Cyber Threat Intelligence Sharing (CTIS) platform which automates sharing of indicators of compromise. The Australian Government’s ten year investment in ASD, known as REDSPICE, will further harden Australia’s cyber defences in 2022–23 and beyond.
I’m a big fan of the Australian Cyber Security Centers annual reports. It’s nice to see something from the other side of the world, and see the similarities and the differences.
Of interest here is the similarity, showing that most financially motivated cybercrime groups, such as ransomware operators, are similar level threats to all internet users. Secondly, the rise in the speed of public vulnerabilities becoming attacks continues to be a risk that faces everyone. You used to be able to rely on slow dissemination of information giving you time to patch, but if you don’t have the ability to patch the vast majority of your estate with hours notice, a feat that practically requires automation to be possible, then you are increasingly at risk.
Most cyber security companies silently run internet scans similar to the ones we're talking about. But the NCSC is part of an intelligence agency , so I think we need to be a bit more open about our scanning.
We're not trying to find vulnerabilities in the UK for some other, nefarious purpose.
We're beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we're doing (and why we're doing it).
Building this capability has led us to develop a set of principles for conducting scanning effectively and transparently. These are: * publicly explain the purpose and scope of the scanning system * mark activity so that it can be traced back to the scanning system being used * audit scanning activity so abuse reports can be easily and confidently assessed * minimise scanning activity to reduce impact on target resources * ensure opt-out requests are simple to send and processed quickly
These are great principles for people building public scanning systems. If you check out the explainer , then you’ll see that requests are clearly tagged with metadata and conducted from clearly labelled locations.
Introducing Dastardly - a free, lightweight web application security scanner for your CI/CD pipeline, from the makers of Burp Suite . Secure web development ain't easy Ensuring your code is written securely can be a bit of a headache. Most of us know about the risks of SQL injection by now, but what about vulnerabilities like Cross-site scripting (XSS) or CORS misconfigurations ?
There are hundreds of static (SAST) code analysis tools around, but many are prone to noise - distracting you with a seemingly endless stream of false positives. In short, these tools often get ignored at best. Dastardly is different Dastardly's scanner produces very little noise, thanks to its dynamic (DAST) methodology . It looks at your application from the outside in - just like a real attacker. So if it sees a vulnerability, you can be pretty sure it's real. And to do this, it uses a stripped-down version of the scanner used by Burp Suite - the world's leading toolkit for web security testing.
In the past, dynamic analysis has been difficult to fit into CI/CD - being slower than static analysis. But Dastardly scans complete in ten minutes or less - giving you fast feedback on seven security issues you should be aware of . This gives you the ability to fix actual security issues there and then, without any painful context-switching or false positives.
This looks really interesting. Free tool to integrate into your CI/CD pipeline. Looking forward to trying this out.
Phylum Discovers Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack
Last week, our automated risk detection platform alerted us to some suspicious activity in dozens of newly published PyPI packages. It appears that these packages are a more sophisticated attempt to deliver the W4SP Stealer on to Python developer’s machines by hiding a malicious import . Join us here on the Phylum research team as we investigate these new and shifting tactics the attacker is using to deploy W4SP stealer in this supply-chain attack.
Similar to this attacker’s previous attempts, this particular attack starts by copying existing popular libraries and simply injecting a malicious
__import__statement into an otherwise healthy codebase. The benefit this attacker gained from copying an existing legitimate package, is that because the PyPI landing page for the package is generated from the setup.py and the README.md , they immediately have a real looking landing page with mostly working links and the whole bit. Unless thoroughly inspected, a brief glance might lead one to believe this is also a legitimate package.
Upstream package attacks remain a really nasty way of getting something like W4SP Stealer onto developers devices. What’s not clear however is just who is behind this and what they intended to do with with the credentials that they’ve stolen.
Getting hold of all of the credentials on a developers machine could be the precursor to a much more complex attack, but in this case, the attacker shows a lot of grit and determination, constantly changing tactics, but also seems to be using publicly available tools with little obfuscation, such as github accounts and discord to handle the command and control. This slightly odd mix makes it hard to determine what they are doing.
There’s really only one good defense against this form of supply chain attack, and that’s to run vetted package repository proxies. That’s incredibly frustrating as a developer, but the additional step when fetching new dependencies, especially non-common and typosquatted dependencies is probably the best safeguard you can have
Vulnerabilities we found in the remote surface (Connman)
OOB byte swap in GWEB (CVE-2022-32292)
Double free in WISPR (CVE-2022-32293)
This is a great writeup of a remote code execution, and has just enough details to see how to explain what sound like pretty benign bugs, the ability to insert a null into a bytestream through a HTTP Parsing issue, and a double-free bug.