psw684

Paul’s Security Weekly Episode #684 – February 25, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. “Confessions of a CIA Spy – The Art of Human Hacking” Book Release – 06:00 PM-06:45 PM

Announcements

Description

Peter will tell the story behind the story of his new book “Confessions of a CIA Spy – The Art of Human Hacking” including key highlights from the book regarding data protection.

Peter’s new book is available on Amazon: https://amazon.com

Guest(s)

Peter Warmka

Peter Warmka –

Founder at Counterintelligence Institute

Former Senior Intelligence Officer with the CIA with over 20 years experience in breaching the security of organizations overseas. Certified Protection Professional (CPP) and Certified Fraud Examiner (CFE.) Professional trainer and Certified Instructor (CIA-U.) Adjunct Professor in Webster University’s Masters in Cyber Security Program Conference speaker, guest podcaster, and author of numerous publications on social engineering and fraud including “Confessions of a CIA Spy – The Art of Human Hacking.” Founder of Orlando based firm Counterintelligence Institute, LLC. Passionate about using his expertise in helping city, state and federal government entities, non-profits, academic institutes, private companies and individuals safeguarding their sensitive proprietary and/or personal data.

Hosts

DougWhite

Doug White –

Professor at Roger Williams University

JeffMan

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer –

Security Analyst at Black Hills Information Security

LarryPesce

Larry Pesce –

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely –

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian –

Founder at Security Weekly

TylerRobinson

Tyler Robinson –

Managing Director of Network Operations at Nisos, Inc

2. Wait, You Did What? How To Be A Cybersecurity Hero… – 07:00 PM-07:45 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

Bryan will talk about how and why he wire-tapped the US Secret Service and FBI, how he used his Marine Corps training, cyber abilities, social engineering, and OSINT to rescue his foster daughter from being trafficked. Bryan will then explain what he does with Cyemptive, his day job.

Highlights Reel: https://www.youtube.com/watch?v=U3DSRWwgCoE

Guest(s)

Bryan Seely

Bryan Seely –

Senior Security Architect / Evangelist at Cyemptive Technology

Bryan Seely is an international keynote speaker, world-famous hacker, Cybersecurity expert, author and former U.S. Marine. Seely became one of the most famous hackers in 2014 when he became the only person to ever wiretap the United States Secret Service and FBI. Shockingly he told the 2 agencies before he was caught, and instead of being sent to maximum security prison, the Secret Service called him a hero and praised his courage and integrity. He has appeared in the New York Times, Wall Street Journal, Washington as well as television appearances on Closing bell on CNBC, CNN, FOX News, ABC, NBC and TMZ with Harvey Levin. Bryan is passionate about fighting for consumers rights, privacy and educating the public about how to stay safe in a constantly changing technology landscape. He currently works as a Senior Security Architect for Cyemptive Technologies, professional keynote speaker, podcast host and full time single father of 2 usually-adorable children.

Hosts

DougWhite

Doug White –

Professor at Roger Williams University

JeffMan

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer –

Security Analyst at Black Hills Information Security

LarryPesce

Larry Pesce –

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely –

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian –

Founder at Security Weekly

TylerRobinson

Tyler Robinson –

Managing Director of Network Operations at Nisos, Inc

3. TV Hacking, Nvidia, Nation States, NASA, & WMware – 08:00 PM-09:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

This week In the Security News, Nvidia tries to throttle cryptocurrency mining, Digging deeper into the SolarWinds breach, now with executive orders, NASA’s secret message on Mars, vulnerabilities in Python and Node.js, hacking TVs and AV gear, nation state hacking galore, patch your VMWare vCenter, and is a password manager worth your money

Hosts

DougWhite

Doug White –

Professor at Roger Williams University

  1. President Biden’s Supply Chain Executive Order – Cybersecurity is included in this mandate to examine the whole infrastructure in the wake of Solarwinds.
  2. Nvidia throttles Ethereum mining on the RTX 3060
  3. President Biden’s Executive Order on Supply Chain
JeffMan

Jeff Man –

Sr. InfoSec Consultant at Online Business Systems

  1. NASA Sent a Secret Message to Mars. Meet the People Who Decoded It – Drink more Ovaltine!
  2. Why America would not survive a real first strike cyberattack today
  3. Heavily used Node.js package has a code injection vulnerability
  4. Hackers Tied to Russia’s GRU Targeted the US Grid for Years
  5. Daisy Ridley fires back at Ted Cruz after he defends Gina Carano over ‘Mandalorian’ firing – Not wanting to get political or anything, but it’s Star Wars…
  6. Google Cloud puts its Kubernetes Engine on autopilot – A WOPR of a story?
  7. Kroger joins victims of Accellion data breach
  8. Clubhouse suffers data breach
  9. Wawa Reaches Proposed $12M Settlement in Data Breach Litigation
  10. Students’ Information Compromised by Data Breach at Harvard Business School
  11. Massive SolarWinds Hack Prompts Calls for U.S. Law Requiring Cyber Breach Reporting
  12. Tactics & Measures for Ransomware in Enterprise Workplace 2021 – I was interviewed recently on Airgap’s “Ransomware Battleground” podcast. Different venue, but a good discussion about recent ransomware attacks.
  13. Gula Tech Cyber Fiction Show: Episode #7 – Jeff Man – Cybersecurity Evangelism – Ron Gula asked me to chat with him about a whole variety of topics. We will do this again.
  14. SCW Ep #62: Interview with John Threat, Part 1 – Must watch episode for everyone who has an interest in hacker history, hacker culture, hip hop, and more.
  15. SCW Ep #62: Interview with John Threat, Part 2 – Second part of the John Threat interview, and also the guys from Hacker Valley Studio.
JoffThyer

Joff Thyer –

Security Analyst at Black Hills Information Security

LarryPesce

Larry Pesce –

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely –

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. VMware addresses a critical RCE issue in vCenter Server – VMware has addressed a critical remote code execution (RCE) vulnerability in the vCenter Server virtual infrastructure management platform, tracked as CVE-2021-21972, that could be exploited by attackers to potentially take control of affected systems. CVE-2021-21972 rated as high risk due to arbitrary command execution potential.
  2. 10,000 mailboxes hit in phishing attacks on FedEx and DHL Express – Attackers have been spotted leveraging phishing emails that purport to be a FedEx online document share and an email from DHL, both sharing shipping details in two phishing attacks targeting some 10,000 mailboxes at DHL Express and FedEx in an effort to steal victims’ work email credentials.
  3. California DMV Halts Data Transfers After Vendor Breach – The California Department of Motor Vehicles (DMV) has announced it has ceased all data transfers after Seattle, Wash.-based third-party funds transfer service provider Automatic Funds Transfer Services, Inc. (AFTS) suffered a ransomware attack that compromised data belonging to millions of California drivers.
  4. Hackers steal credit card data abusing Google’s Apps Script – Hackers abuse Google Apps Script business application development platform to steal credit cards, bypass CSP
  5. First Malware Designed for Apple M1 Chip Discovered in the Wild – Security researcher Patrick Wardle detailed a Safari adware extension called GoSearch22 that was originally written to run on Intel x86 chips but has since been ported to run on ARM-based M1 chips. The rogue extension, which is a variant of the Pirrit advertising malware, was first seen in the wild on November 23, 2020, according to a sample uploaded to VirusTotal on December 27.
  6. US Retailer Kroger Admits Accellion Breach – US retail giant Kroger has become the latest big-name brand to admit it suffered a data breach via legacy file transfer software.

    The supermarket chain, America’s largest by revenue, posted the notice late last week.

    It revealed that some of the firm’s customers and employees may have had their data compromised by a malicious third party who exploited a vulnerability in Accellion’s FTA platform

  7. Silver Sparrow macOS malware with M1 compatibility – Earlier this month, Red Canary detection engineers Wes Hurd and Jason Killam came across a strain of macOS malware using a LaunchAgent to establish persistence.
  8. New malware found on 30,000 Macs has security pros stumped – A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles. Read Red Canary report https://redcanary.com/blog/clipping-silver-sparrows-wings/
  9. Chinese spies ‘used code copied from America’s NSA’ for hacking operations – It is not clear how the China-linked malware analysed by Check Point was used.
  10. NurseryCam hacked, company shuts down IoT camera service – Daycare camera product NurseryCam was hacked late last week with the person behind the digital break-in coming forward to tip us off. A hacker contacted El Reg on Friday to say they had obtained real names, usernames, what appeared to be SHA-1 hashed passwords, and email addresses for 12,000 NurseryCam users’ accounts – and had then dumped them online.
  11. Transport for NSW data stolen in Accellion breach – Transport for NSW has joined a growing list of global organisations to fall victim to the Accellion data breach after confirming that data from the file-sharing system was stolen. Acellion has patched all FTA vulnerabilities known to be exploited by threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.
  12. FireEye Links Accellion Attacks to FIN11 – FireEye says it has linked the recent string of attacks exploiting vulnerabilities in the Accellion legacy file transfer product (tracked as UNC2546) to financial crime group “FIN11.” Note the overlaps between FIN11, UNC2546, and UNC2582 are compelling but not yet conclusively determined how they are connected
  13. Python programming language hurries out update to tackle remote code vulnerability – The Python Software Foundation (PSF) has released Python 3.9.2 and 3.8.8 in order to address a remotely exploitable remote code execution (RCE) vulnerability (CVE-2021-3177) and a web cache poisoning vulnerability (CVE-2021-23336) that could be exploited by attackers to take targeted systems offline.
  14. Exploitation of Accellion File Transfer Appliance – Accellion has identified cyber actors targeting FTA customers by leveraging the following additional vulnerabilities.

    CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier)
    CVE-2021-27102 – Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier)
    CVE-2021-27103 – Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier)
    CVE-2021-27104 – Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier)

PaulAsadoorian

Paul Asadoorian –

Founder at Security Weekly

  1. CVSS as a Framework, Not a Score
  2. Is a password manager worth your money? – Agree or disagree? – “Until passwords go the way of the dodo you need to keep them protected, safe, and accessible. Whether you use a paid, free, or homegrown password manager, use something to keep these most valuable keys protected. Personally, I feel paying a small amount to a company gives me the right to demand better services and improvements, something being a free user does not.”
  3. Senate hearing on SolarWinds hack lays bare US shortcomings, remaining mysteries – CyberScoop – “A number of big questions remain: SolarWinds still hasn’t determined how the hackers originally got into its systems, nobody has fully settled debates on whether the incident amount to espionage, or something worse, and suspicions abound that more victims remain unrevealed.” – So many questions and theories.
  4. Nvidia’s Anti-Cryptomining Chip May Not Discourage Attacks – This wreaks of “we want to put a limitation on our products”. And when you do that, people just want to hack it. Why? Because you put a limitation on your products.
  5. SamyGO – We have 17 Samsung TVs in the studio now (and several more in other parts of the office and studios). Naturally, I’ve been curious about hacking them. My intentions are to gain some more control over them, e.g. I don’t need any “Smart” features! Also, I don’t need audio. Initial research led me here. Mute -> 1-8-2 -> Power is a fairly well-known way to access a “secret” service menu. However, this site details so many more hacks and hidden menus. My goal is to really just turn the TVs into monitors. So much more is possible!
  6. HDMI 8X8 Matrix 4K@60Hz 4:4:4 Control4 Driver – J-Tech Digital – I was investigating this product. I found that the default password is “Admin/Admin” by guessing as it was not documented. The IP configuration asked for a default gateway, however, I could find no evidence of firmware updates. In fact, there were no firmware updates posted to the vendor site and no way to apply firmware updates via the web interface or via the serial connection. There is a USB-C port, but the documentation does not mention it. The device runs Telnet on port 23, however, the default credentials do not work on that service.
  7. Python jsonpickle 2.0.0 Remote Code Execution – Check your jsonpickle.
  8. Ukraine says Russia hacked its document portal and planted malicious files – “Wednesday’s statement came two days after Ukraine’s National Coordination Center for Cybersecurity reported what it said were “massive DDoS attacks on the Ukrainian segment of the Internet, mainly on the websites of the security and defense sector.” An analysis revealed that the attacks used a new mechanism that hadn’t been seen before. DDoS attacks take down targeted servers by bombarding them with more data than they can process.” – Nothing new here, just more Russia hacking Ukraine and everyone else in the world turning a blind eye.
  9. This chart shows the connections between cybercrime groups – Attribution is hard doesn’t even begin to cover. When are we going to dig deeper and start identifying which groups were responsible for each phase of the attacks?
  10. Cisco Warns of Critical Auth-Bypass Security Flaw
  11. Cybersecurity Canon – Some of my favorite hacking/security books in here (and some are not my favorites).
  12. Unauthorized RCE in VMware vCenter – “After sending an unauthorized request to /ui/vropspluginui/rest/services/*, I discovered that it did not in fact require any authentication.” – That’s your problem right there…
  13. Heavily used Node.js package has a code injection vulnerability – “This library is still work in progress. It is supposed to be used as a backend/server-side library (will definitely not work within a browser),” states the developer behind the component.” – We cannot just blindly trust all our components and libraries. A human, sometimes, has to read the documentation and performs a risk assessment, that is until the deadline is approaching and you can save 5 days by implementing an experimental library someone else wrote.
  14. Chinese spyware code was copied from America’s NSA Researchers – If you leave missiles laying around and they fall into the wrong hands, it’s a bigger deal than “cyber” weapons.
  15. Ukraine sites suffered massive attacks launched from Russian networks – “The Ukrainian authorities did not attribute the attack to a specific threat actor.” – This does not mean they don’t know, they just don’t want to say and show their hand. If they know who, it tips them off, and potentially any/all tactics and methods used to observe the attackers.
  16. Python programming language hurries out update to tackle remote code vulnerability – “The bug occurs because “sprintf” is used unsafely. The impact is broad because Python is pre-installed with multiple Linux distributions and Windows 10.”
  17. Clubhouse Chats Are Breached, Raising Concerns Over Security
  18. John Deere Lied For Years About Making Its Tractors Easier To Service
  19. Zombie infection threat as country unlocks 50,000-year-old viruses
  20. New type of supply-chain attack hit Apple, Microsoft and 33 other companies
  21. Microsoft: SolarWinds attack took more than 1,000 engineers to create – “Microsoft, which was also breached by the bad Orion update, assigned 500 engineers to investigate the attack said Smith, but the (most likely Russia-backed) team behind the attack had more than double the engineering resources. “When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000,” said Smith.”
  22. France Ties Russia’s Sandworm to a Multiyear Hacking Spree – “Remarkably, ANSSI says the intrusion campaign dates back to late 2017 and continued until 2020. In those breaches, the hackers appear to have compromised servers running Centreon, sold by the firm of the same name based in Paris. Though ANSSI says it hasn’t been able to identify how those servers were hacked, it found on them two different pieces of malware: one publicly available backdoor called PAS, and another known as Exaramel, which Slovakian cybersecurity firm ESET has spotted Sandworm using in previous intrusions. While hacking groups do reuse each other’s malware—sometimes intentionally to mislead investigators—the French agency also says it’s seen overlap in command and control servers used in the Centreon hacking campaign and previous Sandworm hacking incidents.” – Supply chain attack?
TylerRobinson

Tyler Robinson –

Managing Director of Network Operations at Nisos, Inc