Welcome to The Long View—where we peruse the news of the week and strip it to the essentials. Let’s work out what really matters.
This week: Spear-phishing causes $540 million loss, a high severity bug in OpenSSL might be “worse than Heartbleed,” and Lennart Poettering is now working for Microsoft.
1. Don’t Phall for Phishing
First up this week: A senior developer allowed hackers to break into their employer’s network by opening an emailed attachment. The dev trusted the sender because it appeared to be a company offering a juicy job.
Analysis: Don’t let your guard down
DevOps staff are usually the most switched on to the risks of opening email attachments. But even the most careful might fail to spot a clever, patient attacker such as this one.
Ryan Weeks: How a fake job offer took down the world’s most popular crypto game
Rarely has a job application backfired more spectacularly than in the case of one senior engineer … whose interest in joining what turned out to be a fictitious company led to one of the [cryptocurrency] sector’s biggest hacks [as] Ronin, the Ethereum-linked sidechain … lost $540 million. … One source added that the [recruitment was] through the professional networking site LinkedIn.
…
The fake “offer” was delivered in the form of a PDF document, which the engineer downloaded — allowing spyware to infiltrate Ronin’s systems. From there, hackers were able to attack and take over … the Ronin network.
PDF? How was that possible? zrobotics saw a similar scenario:
Phisher asked employee to sign a document relating to customs. The phisher had gathered that this employee works with shipping claims and returns, and surmised that they need to deal with customs documents requiring signature.
There was a link to an exe hosted on a European cloud service in the PDF titled “install fake signature certificate company to sign this document.” This directed to a download of a basic ransomware executable. This did get past our AV to the point of encrypting the employee’s machine, but thankfully was blocked from spreading to the rest of the network.
The employee’s machine was toast, but I was able to restore from the prior day’s backup and no major harm occurred … but they did lose a half-day work and I updated our training. The attack itself was clever from a social engineering perspective, but the technical exploit was something any script kiddy could have downloaded from the open web, nothing advanced at all. But Gmail doesn’t always scan links in PDFs, so a clever ruse was able to bypass Google’s scanning as well as our local scanning.
Social engineering FTW, though. Here’s Rachel Tobac:
Job based phishing attacks are a huge challenge for a lot of reasons: It’s tough to verify identity/authenticity with people you have no relationship with, job opportunities actually do reach out to schedule interviews/send info so attack method matches real life, etc.
2. OpenSSL Bug ‘Worse Than Heartbleed’?
OpenSSL 3.0.4 introduced a tricky vulnerability that allows an attacker to corrupt server memory. CVE-2022-2274 might let such scrotes execute code remotely.
Analysis: Patch now, obvs.
3.0.5 fixes the flaw and is now available upstream. If your servers support AVX512IFMA instructions, you should go get it as soon as your distro has it.
Guido Vranken: OpenSSL remote memory corruption
Peculiarly, almost nobody is talking about this: … OpenSSL version 3.0.4 … is susceptible to remote memory corruption which can be triggered trivially by an attacker. … x64 systems with AVX512 support are affected.
…
If RCE exploitation is possible this makes it worse than Heartbleed. … Apart from code execution, there can also be scenarios where private data is leaked to the attacker.
Why are we still using OpenSSL when there are better choices? ggm:
OpenSSL represents “API/ABI” dependency. People coded to this.
OpenSSL is also “s/w by accretion” as people added and removed things over time. The original core, SSLEAY, Was an exemplary instance of somebody outside the core cryptographic community … and was hand coded to be both algorithmically faithful to export restrictions (ITAR) and machine code optimisations: it was fast.
And here’s a slightly sarcastic Sirened:
Intel, in a shocking move, has preemptively patched this vulnerability in silicon by deprecating AVX512 months ago.
3. Systemd Dev is now Working for Microsoft
Systemd is like Marmite … or the Kia Soul: You either love it or hate it. Will more people hate it now that its creator is a Microsoft employee?.
Analysis: Embrace, extend, extinguish?
Microsoft has long touted its love and support of open source. But people have pachydermous memories—so trust is hard to earn. But Lennart Poettering joins a long and distinguished list of current and former FLOSS devs.
Michael Larabel: Systemd Creator Lands At Microsoft
Lennart Poettering quietly … left Red Hat following a decade and a half there leading PulseAudio among other projects and ultimately going on to start systemd, which has fundamentally reshaped modern Linux distributions. … He joined the Redmond company … it actually turns out not to be a joke.
…
The prominent open-source developer [is] continuing his focus on systemd development. While some may not always align with his views or approaches to handling some things, there is no overstating his enormous contributions to the Linux/open-source world.
…
Microsoft has over time employed a number of Linux developers and other prominent open-source developers. [For example] Python creator Guido van Rossum, GNOME creator Miguel de Icaza … Nat Friedman … Gentoo Linux founder Daniel Robbins … Steve French … Matteo Croce, Matthew Wilcox, Tyler Hicks, Shyam Prasad N, Michael Kelley, and many others. … It was also just earlier this year that Christian Brauner … another longtime Linux kernel developer, joined Microsoft.
“Quietly”? em-bee’s not surprised:
I am not surprised that he made this move quietly. Poettering’s work attracted a disproportionate share of criticism, and moving to Microsoft is not exactly a helpful move to quell that criticism.
…
Since he continues to work on systemd, critics will now start to decry systemd as being a Microsoft product. … This move is likely to strengthen the anti systemd camp.
Whatever Microsoft does, some people will never trust the company. For example, rabcor:
Systemd is great, though it’s hated … for its monolithic structure, which is a pretty lame reason. … I’m sure that we’ll start seeing more distros moving away from systemd purely due to mistrust towards Microsoft—and that’s a good thing, ‘cuz variety and choice is nice.
I truly don’t mind sticking with systemd though, even with Poettering working on it from Micro$oft, I mean I hate Microsoft, and I sure as **** wouldn’t trust them with a pet rock, but systemd is an open source project and if they force some shady **** into systemd then someone’s just gonna fork it and remove it and we’ll all use that instead.
.
The Moral of the Story:
Be great in act, as you have been in thought
You have been reading The Long View by Richi Jennings. You can contact him at @RiCHi or [email protected].
Image: Bruno van der Kraan (via Unsplash; leveled and cropped)