IEEE Cipher --- Items from security-related news (E188)
Prior news summaries from Cipher
Summary:
Dan wrote a masters thesis at MIT in 1966 about automating the
decoding of simple cipher systems with computers. At the time he
was at Project MAC. He continued contributing to the foundations
of computer security and was one of the authors of the Orange Book.
His interview for the Charles Babbage Institute's oral history
project is
here.
The Applied Computer Security Association maintains information about people in the computer security field who have died. Dan's entry will appear there.
Summary:
This new malware has been insinuating itself in various platforms for
at least two years (see
Google Cloud blog from April of 2024) when it was
noticed in Ivanti Connect Secure. More recently it was detected in
a variety of Linux and BSD-based appliances. BRICKSTORM is remarkably
hard to detect, and its initial entry point was known when it was
first detected.
Researchers think that it gains access to edge appliances using
zero-day exploits and from there moves inward to VMware vCenter and
ESXi hosts.
Summary:
The stealth and persistence of BRICKSTORM malware are due to clever
engineering, the type associated with espionage from the People's
Republic of China. This CISA report about an analysis of eight
samples of BRICKSTORM reveals the multilayered capabilities of the
software, with is embodied in a "custom Executable and Linkable Format
(ELF) Go-based backdoor". Stolen credentials, encrypted messages,
automatic reinstall, jumps from server to server, and many other
coordinated techniques make this malware hard to stop. The report
makes for an interesting true cybercrime story.
Summary:
In late September the Asahi beer company was the victim of a
cyber-attack that shut down its order and shipment operations.
The problem was so serious that beer production was halted,
and restaurants in Japan found it difficult to stock the popular brew.
By early September partial production was resumed at all six
breweries in Japan (production outside of Japan was unaffected by
the attack). Overall, the attack had a serious affect on the
company's ability to produce beer, soft drinks, and other food
items.
Summary:
The attack on Asahi not only disrupted their logistics, it also
may have disclosed data about as many as 2 million people, most of
them Asahi customers. Asahi refused to pay ransom, and it is
still recovering from the "sophisticated and cunning" attack.
Their CEO estimates that full production of their products
will not resume until February of 2026.
Summary:
Is it possible to convince several thousand people, most of them
elderly, to convert their life savings to hundred dollar bills and
feed them into a machine at a gas station for "safeguarding"?
According to the FBI and AARP, that happened last year, and
presumably has continued in the current year. The machines are
Bitcoin ATMs, and scammers convince their victims to divert the
money to themselves. The owners of the ATMs collect impressive
fees to the transactions, and they are reluctant to take measures
that might reduce the risk to unwitting customers.
Summary:
The Internet is composed of a myriad of communicating devices. Its
ad hoc complexity is thought to be its best defense. To "take it
down" would be like cutting through curtains of glue and string.
But as the Internet grows, people need to find ways to manage
the myriad of devices, and economics and information theory tend
to favor centralization of resources. So, the Internet grows and the
Internet coalesces. Inquiring minds want to know if it has an
Achilles heel (or several of them) that could be toppled like a stack
of dominoes. DNS, AWS, Google data centers, BGP, ... ? Do these
hide weaknesses in our digital ecosystem? This article has musings
from 3 Internet experts about disaster scenarios. One of them
mentioned an informal Internet recovery plan for the UK that
would involve gathering their gurus at a London pub to map out a
restart strategy. He told the reporter:
"I don't know if this is still the case. It was quite a few years ago
and I was never told which pub it was."
Summary:
Windows Server Update Services (WSUS) had an exploitable bug in its
data deserialization routines that led to remote code execution.
Microsoft issued a patch for the problem, and that caused malicious
actors to take note. However, machines running WSUS shouldn't be
accessible from the Internet, so it would be hard to launch an attack,
right? Sadly, Trend Micro found 500K servers on the Internet, and it is
likely that all of them will be probed by attackers at some point.
Once the attackers obtain remote shell access, they generally perform reconnaissance and exfiltration as well as covering their tracks. The potential danger to other parts of an enterprise are catastrophic.
Any hope that the WSUS remote execution vulnerability would be a small glitch were dashed when a server with the patch to fix the deserialization bug was subsequently infected with a modular malware system called ShadowPad. It origins date back to 2015, and its current instantiation has been called a "masterpiece of privately sold malware in Chinese espionage."