psw686

Paul’s Security Weekly Episode #686 – March 11, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. How Illicit Markets Really Operate – 06:00 PM-06:45 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

Description

David has been studying the structure, size and scope of illicit markets for over 10 years. He has come to realize just how fragmented illicit markets are, how a few select vendors often control most of the sales, and how important social bonds are even in the context of anonymous illicit markets.

Guest(s)

David Hétu

David Hétu – Chief Research Officer at Flare Systems

@ddhetu

David Hétu is a co-founder and Chief Research Officer of Flare Systems. David has a Ph.D. in criminology from the Université de Montréal. His main research interest is in online illicit markets and the impact of technology on crime. David’s research has been published in the highest academic journals (ex. British Medical Journal) and presented at leading conferences. David and his team will be launching the BSides MTL conference in the Fall 2021.

Hosts

LarryPesce

Larry Pesce

@haxorthematrix

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. Russian regex, John McAfee, Verkada Hack, & Microsoft Exchange – 07:00 PM-08:30 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

Microsoft Exchange had some vulnerabilities, how could you not hear about them?, Russians try to throttle Twitter, silicon valley security camera company has been breached and we get to see what it looks like as they make Teslas in China, Did I mention that there was an Exchange hack?, free tool release to help secure the supply chain (but not Russians with bags of cash), the best practices aren’t always the best, advanced Linux malware and how not to encrypt C2 and hide files, and network-based multi-domain macro-segmentation situational awareness for compliance, & more!

Hosts

LarryPesce

Larry Pesce

@haxorthematrix

Senior Managing Consultant and Director of Research at InGuardians

  1. Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github
  2. Russian attempt to throttle Twitter appears to backfire
  3. Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches
  4. Git clone vulnerability announced – The GitHub Blog
  5. Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals
  6. Bitflips when PCs try to reach windows.com: What could possibly go wrong?
LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. F5 urges customers to patch critical BIG-IP pre-auth RCE bug – F5 Networks released patches for four critical remote code execution flaws affecting most BIG-IQ and BIG-IP software versions. CVE-2021-22986 allows unauthenticated remote attackers to execute arbitrary commands on compromised BIG-IP devices. The other vulnerabilities, CVE-2021-22987, CVE-2021-22991, and CVE-2021-22992, are also listed as Critical and allow authenticated remote attackers to execute arbitrary system commands.
  2. Email Hackers Defraud TM Supermarkets Of $22 Million In BEC Scam – Hackers have reportedly defrauded Zimbabwe’s TM Supermarkets out of some $22 million in what appears to be a business email compromise (BEC) scam in which unidentified hackers emailed instructions to the supermarkets’ bank (Steward Bank) requesting that it transfer funds to four attacker-controlled accounts.
  3. Tesla Shanghai factory among sites exposed in huge security camera hack – An international hacker collective says it breached a massive amount of security camera data collected by San Mateo, Calif.-based start-up Verkada and accessed live camera feeds live feeds from 150,000 surveillance cameras located inside hospitals, prisons, schools, police departments, and companies, including Tesla Inc.
  4. iPhone, iPad and Mac security: Apple releases fixes for bug that could allow code execution via malicious web content – As part of its macOS Big Sur 11.2.3, iOS 14.4.1, and iPadOS 14.4.1 security fixes, Apple has addressed a memory-related vulnerability (CVE-2021-1844) affecting its WebKit browser engine used by Safari on iPhones and MacBooks that could lead to arbitrary code execution if victims visit a website hosting malicious code.
  5. 9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware – Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store. This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT.
  6. Google, Linux Foundation, Red Hat release free tool to secure software supply chains – Sigstore tool will provide the infrastructure for developers to cryptographically sign software releases, container images, or binaries and then save signing proof in public and auditable logs.

    Google described the new project as “Let’s Encrypt for Code Signing.”

    The Linux Foundation, which is formally hosting and shepherding the project, said Sigstore was created to address the problem of software supply chain security.

  7. A Basic Timeline of the Exchange Mass-Hack — Krebs on Security – Timeline of what happened when and why we’re in a fix-it-now rather than patch Tuesday cycle.
  8. Microsoft’s MSERT tool now finds web shells from Exchange Server attacks – Microsoft has pushed out a new update for their Microsoft Safety Scanner (MSERT) tool to detect web shells deployed in the recent Exchange Server attacks. Tool scans and removes (by default) discovered web shells.
  9. Everything you need to know about the Microsoft Exchange Server hack – What happened, vulnerabilities explained, mitigation/patch options. Scope of attack.
  10. Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 – Microsoft Security Response Center
  11. Unpatched QNAP devices are being hacked to mine cryptocurrency – Unpatched network-attached storage (NAS) devices are targeted in ongoing attacks where the attackers try to take them over and install cryptominer malware. Update firmware/software, review accounts, review installed software, add the QNAP MalwareRemoval app.
  12. Idaho Man Charged With Hacking Into Computers in Georgia – An Idaho man faces federal charges after authorities say he hacked into the computers of a Georgia city and Atlanta area medical clinics. He purchased credentials for the targeted systems online.
  13. Docker Hub and Bitbucket Resources Hijacked for Crypto-Mining – Aqua Security observed that attackers created 92 malicious Docker Hub registries and 92 Bitbucket repositories in just four days, indicating a resurgent crypto-mining campaign in which attackers are using those resources to infect targeted systems with the “Monero” cryptominer and mine for cryptocurrency.
  14. About 580,000 SIA KrisFlyer and PPS members affected by external data leak – Singapore Airlines (SIA) has disclosed it suffered a data breach after third-party information technology firm Sita’s passenger service system servers were compromised and leaked some 580,000 SIA KrisFlyer and POS programmes members’ personally identifiable information (PII). The connection is via Star Alliance Data which allowed Sitka to access data from all other airlines.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Scanning for Secrets in Source Code
  2. John McAfee Indicted for ICO Manipulation, Securities Fraud – Security Boulevard
  3. BEST PRACTICES – 9 must-do security protocols companies must embrace to stem remote work risks – Bleh, these articles simply don’t help. I get the goal may be to present security in a simplistic way so that the majority of people can understand. However, watering it down too much results in useless advice, like this: “Secure home router. It’s essential to take simple steps to protect your home internet and change your router’s password to stop your network from being vulnerable.” I’d argue these problems fall on us as security professionals to make security something that we worry about and improve, rather than the end-users.
  4. Compliance – The Invisible Hand Guiding Cybersecurity – Uhm, little or no human intervention? Really? Please explain… “A secure configuration management tool combines network monitoring and Endpoint Protection methodology to compare monitored systems against an approved configuration baseline or a golden image. Deviation from this baseline, known as test failures, can usually be corrected with little or no human intervention.”
  5. F5, CISA Warn of Critical BIG-IP and BIG-IQ RCE Bugs
  6. Researcher finds 5 privilege escalation vulnerabilities in Linux kernel
  7. Microsoft Windows Containers Privilege Escalation – Exploitalert
  8. What we know about the attack targeting Microsoft Exchange Servers
  9. Linux Systems Under Attack By New RedXOR Malware – OMG, it’s so hidden! “After execution, RedXOR creates a hidden folder (called “.po1kitd.thumb”) inside a home folder, which is then utilized to store files related to the malware. Then, it creates a hidden file (“.po1kitd-2a4D53”) inside this folder. The malware then installs a binary to the hidden folder (called “.po1kitd-update-k”), and sets up persistence via “init” scripts.”
  10. Idaho Man Charged With Hacking Into Computers in Georgia – “Hacking” is not the term I would use here: “Between June 2017 and April 2018, Purbeck is accused of buying the usernames and passwords to computer servers belonging to multiple Georgia victims and then using that information to access their computer to steal personal information.” Also, one of his handles was “studmaster”, so, there’s that.
  11. “Puss in Boots” and social engineering – An outstanding example of social engineering: “The cat asks his master to bath naked in the river and hides his clothes afterwards. Then, he stops the royal carriage under the pretence that his master has been robbed and requests the king’s assistance. This event exemplifies an important stage in every scam, the “hurrah”. It is an artificially induced crisis to force the victim to take a rush decision. ” Also, an extremely well-written article, a refreshing change of pace :)
  12. New Side-Channel Attack Targets Intel CPU Ring Interconnect
  13. 5 free network-vulnerability scanners – Free is more like a trial and not full-featured software. They all do it differently, Tenable allows you to scan 16 IP addresses, Rapid 7 has a community edition that is good for one year. I could not find a chart listing the differences between these versions, are they limited in comparison to the commercial version.
  14. Hack of ‘150,000 cameras’ investigated by camera firm
  15. Linux Foundation launches software signing service – LOL: “The “sigstore aims to make all releases of open source software verifiable, and easy for users to actually verify. I’m hoping we can make this easy as exiting vim,” said Dan Lorenc of Google’s Open Source Security Team, joking about the tough-to-quit text editor.” Also, how do we prevent a developer who maintains a large and popular open-source project from Russians who drop a bag filled with $20 million cash from introducing a backdoor. More eyes on it? Maybe, but the codebase is so large and complex I’d bet it would go undiscovered for a really long time, long enough to buy your own island…
  16. Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)
  17. Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks – “SoC Ring interconnect is an on-die bus arranged in a ring topology which enables intra-process communication between different components (aka agents) such as the cores, the last level cache (LLC), the graphics unit, and the system agent that are housed inside the CPU. Each ring agent communicates with the ring through what’s called a ring stop. To test their hypothesis, the researchers reverse-engineered the ring interconnect’s protocols to uncover the conditions for two or more processes to cause a ring contention, in turn using them to build a covert channel with a capacity of 4.18 Mbps, which the researchers say is the largest to date for cross-core channels not relying on shared memory, unlike Flush+Flush or Flush+Reload.”
  18. Threat Alert: z0Miner Is Spreading quickly by Exploiting ElasticSearch and Jenkins Vulnerabilities
  19. Google Chrome to block port 554 to stop NAT Slipstreaming attacks – How would this impact enterprises? “Chrome briefly blocked port 554 before, but it was unblocked due to complaints from enterprise users. However, we have now achieved rough consensus at https://github.com/whatwg/fetch/pull/1148 to block 554”
  20. Israeli spyware firm NSO Group faces renewed US scrutiny – How do we feel about companies such as this: “The Israeli company, which makes hacking software that it sells to foreign governments and law enforcement authorities for the stated purpose of tracking terrorist and criminals, has faced a number of allegations that its clients have used its software to target journalists, government officials and human rights campaigners.”
  21. How I Might Have Hacked Any Microsoft Account – “Putting all together, an attacker has to send all the possibilities of 6 and 7 digit security codes that would be around 11 million request attempts and it has to be sent concurrently to change the password of any Microsoft account (including those with 2FA enabled). It is not at all a easy process to send such large number of concurrent requests, that would require a lot of computing resources as well as 1000s of IP address to complete the attack successfully.”
  22. Passing a compliance audit in the cloud doesn’t have to be hard – Hrm, maybe? “Once the automation is in place in the cloud, passing audits will be a matter of routine rather than a source of anxiety.”
  23. Hackers access 150,000+ security cameras in massive Verkada hack – “It is being reported that more than 100 Verkada Inc. employees had access to thousands of cameras used by its customers whilst they were unaware that the company could peer through their cameras. This list of these customers/clients includes police departments, schools, top firms, and hospitals, etc.”
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

3. Ransomware Research, Threats, and Futures – 08:30 PM-09:15 PM

Announcements

Description

Assaf Dahan, Sr Director, Head of Threat Research at Cybereason, discusses current trends in ransomware research. What happens when we’re not watching or watching the wrong indicators? And threat actor handoff off pillaging to Cyber Merenaries.

Guest(s)

Assaf Dahan

Assaf Dahan – Sr Director, Head of Threat Research at Cybereason

Assaf has over 15 years in the InfoSec industry. He started his career in the Israeli Military 8200 Cybersecurity unit where he gained extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing methodologies, and specialized in malware analysis, reverse engineering and threat intelligence.

Hosts

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly