psw678

Paul’s Security Weekly Episode #678 – December 17, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Generating Threat Insights Using Data Science – 06:00 PM-06:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/vicarius for more information!

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

Description

In this world of countless vulnerabilities, we need to find a way to identify threats. Prioritizing known vulnerabilities is a step in the right direction but definitely not enough. There is a need for a customized identifying threat process.

This segment is sponsored by Vicarius.

Visit https://securityweekly.com/vicarius to learn more about them!

Guest(s)

Roi Cohen

Roi Cohen –

Co-Founder & VP Sales at Vicarius

Roi has over 13 years of experience as a pentester, IT admin, and CISO. In his current Role as Vicarius VP Sales, he helps companies to better product their infrastructure against software vulnerabilities.

Shani Dodge

Shani Dodge –

C++ Developer at Vicarius

Shani is Vicarius’s machine learning expert. She’s widely experienced with binary analysis, data science, and low-level development both in the academic and practical areas.

Hosts

JeffMan

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce –

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely –

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian –

Founder/CIO at Security Weekly/CyberRisk Alliance

TylerRobinson

Tyler Robinson –

Managing Director of Network Operations at Nisos, Inc

2. Securing The Enterprise Software Supply Chain – 07:00 PM-07:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/edgewise for more information!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

SolarWinds is just the latest example of how the enterprise software supply chain, when compromised, can be used successfully by attackers. These coordinated and well-managed attacks prey on trust, so how can we trust our enterprise software?

This segment is sponsored by Edgewise Networks.

Visit https://securityweekly.com/edgewise to learn more about them!

Guest(s)

Harry Sverdlove

Harry Sverdlove –

Chief Technologist at ZScaler

Harry Sverdlove, Chief Technologist for Secure Workload Communication, Zscaler, Inc. (formerly Co-Founder and Chief Technology Officer of Edgewise Networks), was previously CTO of Carbon Black, where he was the key driving force behind their endpoint security platform. Earlier in his career, Harry was principal research scientist for McAfee, Inc. (formerly Chief Scientist of SiteAdvisor), where he supervised the architecture of crawlers, spam detectors and link analyzers. Prior to that, Harry was director of engineering at Compuware Corporation (formerly NuMega), and principal architect for Rational Software, where he designed the core automation engine for Rational Robot.

Hosts

JoffThyer

Joff Thyer –

Security Analyst at Black Hills Information Security

JeffMan

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce –

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely –

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian –

Founder/CIO at Security Weekly/CyberRisk Alliance

TylerRobinson

Tyler Robinson –

Managing Director of Network Operations at Nisos, Inc

3. SolarWinds Attack, AIR-FI Technique, & Zodiac Cypher Decoded – 08:00 PM-09:30 PM

Announcements

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

  • We have officially wrapped up all of the recordings for our 2020 webcasts & technical trainings! Stay tuned as we build out our schedule for next year! Visit https://securityweekly.com/ondemand to view all of our 2020 webcasts & trainings!

Description

In the Security News, How suspected Russian hackers outed their massive cyberattack, Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure, Zodiac Killer Cipher Solved, a Security Researcher states ‘solarwinds123’ Password Left Firm Vulnerable in 2019, Why the Weakest Links Matter, and a 26-Year-Old Turns ‘Mistake’ of Being Added to an Honors Geometry Class to Becoming a Rocket Scientist!

Hosts

JeffMan

Jeff Man –

  1. Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach
  2. SolarWinds hackers’ capabilities include bypassing MFA – “Some companies are about to find out they actually do use SolarWinds in production…”
  3. Linus Torvalds: ‘Nothing that looks scary’ in important new Linux kernel 5.10
  4. Data Leak Exposes Details of Two Million Chinese Communist Party Members
  5. Reported Russian hack of US systems has implications for DoD network security plans
  6. Google Cloud is majorly upping its security game
  7. Academics turn RAM into Wi-Fi cards to steal data from air-gapped systems – this one’s for Larry
JoffThyer

Joff Thyer –

LarryPesce

Larry Pesce –

LeeNeely

Lee Neely –

  1. FireEye Mandiant SunBurst Countermeasures – These rules are provided freely to the community without warranty. In this GitHub repository you will find rules in multiple languages: Snort Yara IOC ClamAV
  2. InfoSec Handlers Diary Blog – SANS ISC summary on the Solarwinds event
  3. SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack – SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack – YouTube
  4. cyber.dhs.gov – Emergency Directive 21-01 – Emergency Directive 21-01 December 13, 2020 Mitigate SolarWinds Orion Code Compromise – mitigations and actions required.
  5. Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor – Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.
  6. Up to 3 million devices infected by malware-laced Chrome and Edge add-ons – As many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or malware infected sites. – This one is from Chelle (my wife)
  7. AMNESIA:33 – Forescout – Forescout Research Labs discovered 33 vulnerabilities impacting millions of IoT , OT and IT devices that present an immediate risk for organizations worldwide.
  8. Data of 243 million Brazilians exposed online via website source code – Personally identifiable information (PII) belonging to some 243 million living and dead Brazilians was found exposed online after web developers inadvertently left the password to a government database in the source code of an official Brazilian Ministry of Health website for roughly six months.
  9. TransLink confirms ransomware attack, says payment data secure – In this case, customers were unable to use credit and debit cards at certain vending machines and tap-to-pay fare gates, but TransLink said that payment card data was not compromised. Egregor ransomware was used in this attack.
  10. Adobe users targeted in dangerous new phishing campaign – A new credential capturing phishing attack has been discovered targeting Adobe users. This particular campaign uses an email that purports to be from the non-existent service Adobe Cloud. (As opposed to Adobe Creative Cloud which exists.)
  11. Ransomware gang says they stole 2 million credit cards from E-Land – Clop ransomware is claiming to have stolen 2 million credit cards from E-Land Retail over a one-year period ending with last months ransomware attack. E-Land claims no customer data was accessed or exposed in the attack as that data was encrypted on a different server.
  12. Hackers target groups in COVID-19 vaccine distribution, says IBM – IBM is warning companies instrumental in the distribution of COVID-19 vaccines that its “cold chain” process for keeping vaccines at the proper temperature during delivery is being targeted in a global phishing campaign.
  13. Nuclear weapons agency breached amid massive cyber onslaught – The Energy Department and National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies. They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE.
PaulAsadoorian

Paul Asadoorian –

  1. Supply Chain Attack: CISA Warns of New Initial Attack Vectors Posing ‘Grave Risk’ – “This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations,”
  2. 51% of WFH Parents Say Children Have Accessed Work Accounts – We need to take the time to educate: “Nearly half of parents let children access devices with saved passwords on them, data shows, but 14% admit their kids have caused trouble by accessing an account with a saved password. One noted their child got into their bank account and wired money to a random account.”
  3. Signal App Crypto Cracked, Claims Cellebrite – Security Boulevard – I will not believe it until I see it: https://www.cellebrite.com/en/blog/cellebrites-new-solution-for-decrypting-the-signal-app/
  4. How suspected Russian hackers outed their massive cyberattack – “We initially detected the incident because we saw a suspicious authentication to our VPN solution,” said Charles Carmakal, senior vice president and chief technology officer at Mandiant, FireEye’s incident response arm. “The attacker was able to enroll a device into our multi-factor authentication solution, and that generates an alert which we then followed up on.”
  5. SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks – “Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the spring of 2020, and we are in the process of notifying those organizations. Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction.”
  6. Here comes the bride: New map matches threat intel to cyberdefenses – CyberScoop – Sounds like they mapped NIST CSF to Mitre Att&ck. Happy dance?
  7. Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure – More of the same, if you want to pwn stuff, just use firmware and IoT, still… “According to researchers at Armis, a whopping 97 percent of the OT devices impacted by URGENT/11 have not been patched, despite fixes being delivered in 2019. And, 80 percent of those devices affected by CDPwn remain unpatched.”
  8. We’re not saying this is how SolarWinds was backdoored, but its FTP password ‘leaked on GitHub in plaintext’
  9. RAM-Generated Wi-Fi Signals Allow Data Exfiltration From Air-Gapped Systems – Coming to an embassy near (or far away?) from you: “The AIR-FI attack relies on DDR SDRAM buses for emitting electromagnetic signals on the 2.4 GHz Wi-Fi band and for encoding data on top of these signals. A nearby Wi-Fi-capable device that has been infected with malware is used to intercept these signals, decode them, and then transmit them to the attacker, over the Internet.”
  10. Zodiac Killer Cipher Solved – Schneier on Security – A 51-year-old cipher: “Cryptologist David Oranchak, who has been trying to crack the notorious “340 cipher” (it contains 340 characters) for more than a decade, made a crucial breakthrough earlier this year when applied mathematician Sam Blake came up with about 650,000 different possible ways in which the code could be read. From there, using code-breaking software designed by Jarl Van Eycke, the team’s third member, they came up with a small number of valuable clues that helped them piece together a message in the cipher”
  11. Microsoft Windows DrawIconEx Local Privilege Escalation – Exploitalert
  12. Why the Weakest Links Matter – “Developer machines, source control management systems, build servers, or even sites that developers download tools from may be compromised, giving an attacker an entry point to inject malicious code. Too often, these are the weakest links in the chain, and attackers will always focus on the weak links. There’s no need to spend the time and effort to attack the hard targets when there are easier options available; attackers — especially those that work for state-backed operations — have deadlines too.”
  13. Killswitch Found for Malware Used in SolarWinds Hack – The profile is weird. The attackers were smart enough to backdoor Solarwinds. But yet, they reportedly stole some of Fireeye’s attack tools. But then, left it easy to shut down the campaign: “During its analysis of the malware, FireEye noticed that SUNBURST had been communicating with a domain named avsvmcloud[.]com. The cybersecurity firm worked with Microsoft and registrar GoDaddy to seize control of the domain.” Smoke and mirrors?
  14. Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019 – This may help explain it: “Security researcher Vinoth Kumar told Reuters that he contacted the company in 2019, alerting it that anyone could access its update server by guessing the password “solarwinds123.” Reuters also reports that hackers claiming they could sell access to SolarWinds’ computers since 2017. It is not clear from the wording of the story whether the offer was for a method of infiltrating SolarWinds itself, or if the black hat was offering to sell access to computers that used SolarWinds software.”
  15. “Evil mobile emulator farms” used to steal millions from US and EU banks
  16. ‘I Am the Dopest NASA Engineer You Will Ever Meet’: 26-Year-Old Turns ‘Mistake’ of Being Added to an Honors Geometry Class to Becoming a Rocket Scientist – I want to end the year on a high note, I LOVE this story: “A second mistake happened during Williams’ freshman year in high school, when a teacher inadvertently enrolled her in an honors geometry class. Williams said she was excited, but her heart dropped when the teacher told her it was a mishap and offered to re-enroll her in a normal math class. “But by this time, I knew that mistakes were my strength,” she said. “Mistakes gave me a second chance. Mistakes have me showing a whole generation of students how cool math and science can be.” Williams forged ahead, got an A in the class, and the rest is history. In 2017, she made her first splash when she penned lyrics teaching the quadratic formula. The song explained coefficients and x-axis intercepts over the sound bed of Soulja Boy’s 2007 summer anthem “Crank Dat.” A music video for the song got thousands of views on Youtube and helped catapult Williams to a level of stardom for her catchy educational jingles.”
TylerRobinson

Tyler Robinson –