psw687

Paul’s Security Weekly Episode #687 – March 18, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Getting The Real Work Done With Plextrac – 06:00 PM-06:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/plextrac for more information!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

Dan will run through some customer testimonials on how they are using Plextrac effectively to get the real work done in security!

This segment is sponsored by PlexTrac.

Visit https://securityweekly.com/plextrac to learn more about them!

Guest(s)

Dan DeCloss

Dan DeCloss – Founder / CEO & President at PlexTrac

@wh33lhouse

Dan has over 15 years of experience in cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications.

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

JeffMan

Jeff Man

@MrJeffMan

Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

LarryPesce

Larry Pesce

@haxorthematrix

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. Security Grades, Mirai, Quantum Cryptography, & Hacking “Beer” – 07:00 PM-08:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • Our next live webcast will be on April 29th at 11am ET where you will learn how to prepare for modern ransomware attacks! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

In the Security News, If software got a security grade, most would get an F, SolarWinds hackers got some source code, new old bugs in the Linux kernel, hack stuff and get blown up, stop hacking “beer”, weekly Chrome zero day, Mirai lives, long live Marai, how attackers could intercept your text messages, and rigging the election, the Homecoming Queen election that is.

Register to attend Joff Thyer’s upcoming Wild West Hacking Fest course “Enterprise Attacker Emulation and C2 Implant Development”: http://bit.ly/JoffsC2Class

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

  1. Ulysses Group claims they can track nearly any vehicle in Real Time or historically
  2. SMS Text Messaging is not a Secure Channel
JeffMan

Jeff Man

@MrJeffMan

Sr. InfoSec Consultant at Online Business Systems

  1. Dick Hoyt, ‘heart and soul of the Boston Marathon,’ dies at 80 – Not a security story, but I add this for everyone that needs a kick in the pants. We all have problems and we are all dealing with depression because of Covid-19, so let this story inspire and encourage you.
  2. The Disaster of the Hafnium Attack on Microsoft Exchange and What to Do About It | onShore Security – A vulnerability, initially detected and reported on in January, has been used in a zero-day exploit to gain access to web facing Microsoft Exchange email servers. This attack is now being characterized as a “global cybersecurity crisis”. The level of attack, number of victims, and method of exploit are all unprecedented.
JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

LarryPesce

Larry Pesce

@haxorthematrix

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Microsoft tool provides automated Exchange threat mitigation – Microsoft has released a PowerShell script to help customers running its Exchange Server on-premises software to quickly and easily mitigate against an attack. The “Exchange On-Premises Mitigation Tool” (EOMT) addresses a server-side request forgery authentication bypass vulnerability (CVE-2021-26855) via a uniform URL rewrite configuration.
  2. Hackers hide credit card data from compromised stores in JPG file – Hackers are now exfiltrating stolen credit card data lifted from compromised online stores inside JPG image files on the compromised web site in order to reduce their traffic footprint and evade detection.
  3. Ex-contractor accessed Vic govt IT system 260 times a year after leaving – The Office of the Victorian Information Commissioner’s (OVIC) has disclosed that between September 2017 and October 2018, a former contractor working for an unnamed contracted service provider (CSP) managed to breach Victorian government IT systems 260 times and steal personally identifiable information (PII) from its client relationship information system for service providers (CRISSP) for 12 months after leaving the CSP.
  4. Azure Active Directory issue takes down Teams, Office, Dynamics and more for some users – An Azure Active Directory issue causing authentication problems is affecting a subset of Microsoft customers worldwide across many Microsoft services, including Azure Portal, Dynamics, Office, Teams, and Xbox Live, Microsoft says the issue has been mitigated as of March 16.
  5. New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild – New wave of attacks exploiting multiple vulnerabilities to deploy ZHtrap (Mirai variant) on compromised systems. Attackers exploited vulnerabilities in various firewalls, VPNs, and Ethernet switches to infect targeted systems.
  6. Hackers are targeting telecom companies to steal 5G secrets – Chinese APT group “Mustang Panda” (RedDelta) has been spotted targeting telecommunications firms in Europe, Southeast Asia, and the U.S. in ongoing attacks designed to infect targeted systems with malware and steal sensitive data, including detailed information related to 5G technology. Once victims visit the malicious page, it delivers a bogus Flash app that is then used to drop the “Cobalt Strike” backdoor
  7. FBI Warns of PYSA Ransomware Attacks on Education Institutions in US, UK – An alert issued on Tuesday by the FBI warns about an increase in PYSA ransomware (aka Mespinoza) attacks on education institutions in the United States and the United Kingdom. PYSA operators post information on their dark web blog about their ransomware attack victims and threaten to publish stolen data if that ransom is not paid.
  8. Hacker leaks payment data from defunct WeLeakInfo breach site – A threat actor reportedly breached the now-defunct “WeLeakInfo” data breach site and leaked customers’ personally identifiable information (PII) as well as the service’s payment information. Information compromised includes victims’ full names, email addresses, phone numbers, physical addresses, and, in many cases, passwords.
  9. SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures – CISA has released a table of TTPs used by the APT actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.
  10. Google: This Spectre proof-of-concept shows how dangerous these attacks can be – Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser’s JavaScript engine to leak data from its memory to another site.
  11. CRA locks out taxpayer accounts after discovering unauthorized use of credentials – CRA reportedly revoked some 800,000 taxpayers’ CRA account credentials after discovering that an unidentified individual or group breached its systems in February 2021 and stole users’ account credentials. Canadians remain an attractive target due high standard of living and technology adoption rate.
  12. Breach Exposes Data of 200K Health System Staff, Patients – A medical practice management firm that provides support to Tacoma-based MultiCare Health System has alerted over 200,000 patients, providers and staff that their PII may have been compromised after its technology vendor, Netgain Technology, was hit by a ransomware attack.
  13. DearCry ransomware attacks Microsoft Exchange with ProxyLogon exploits – Researchers say they have spotted attackers installing a new piece of ransomware dubbed “DEARCRY” after hacking into Microsoft Exchange servers vulnerable to the recently uncovered “ProxyLogon” vulnerabilities.
  14. Molson Coors Suffers Suspected Ransomware Attack – Molson Coors disclosed it suffered what appears to be a ransomware attack after experiencing a “system outage caused by a cybersecurity incident” that resulted in disruptions to its operations. They have “[E]ngaged leading forensic information technology firms and legal counsel to assist the company’s investigation into the incident and the company is working around the clock to get its systems back up as quickly as possible.”
  15. Russia and Iran tried to interfere with 2020 election, U.S. intelligence agencies say – Russia and Iran tried to interfere in 2020 elections The News with Shepard Smith Russia and Iran both carried out operations to interfere with the election, designed to undermine confidence in the election process.
  16. GitLab Critical Security Release: 13.9.4, 13.8.6, and 13.7.9 – These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.
    Security Fix:
    Remote code execution via unsafe user-controlled markdown rendering options – Critical
    An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorised authenticated users to execute arbitrary code on the server. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9).
  17. AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool – This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:

    AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations.

    AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, which addresses APT activity within Microsoft 365/Azure environments and offers an overview of—and guidance on—available open-source tools. The Alert includes the CISA-developed Sparrow tool that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.

    Similar to Sparrow—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment.

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. D-Link DIR-3060 1.11b04 Command Injection – The disclosure timeline is pretty hilarious. Also, I learned about a new company that is automating firmware analysis.
  2. Biden administration mulls software security grades after SolarWinds – “The White House is contemplating the use of cybersecurity ratings and standards for U.S. software, a move akin to how New York City grades restaurants on sanitation or Singapore labels internet of things devices” – There are challenges here. First, the rating has to be based on something that can be measured. You can measure the number of germs and bacteria in a kitchen using, well, science. How do you measure whether or not the software is secure? If there was a scientific and accurate way to do this, we wouldn’t be having this conversation. Software changes, has multiple components that change, behaves differently in different environments, can be manipulated on the client and the server, and authentication is a huge issue.
  3. Dawn of the new era of Cryptography called “Quantum Cryptography” – “In the case of quantum cryptography, as you can see from the above diagram Alice tries to send photons which are in a specific direction to Bob. And Bob has placed a filter (in the middle) which is in an upward and downward direction, so that the photon getting out of the filter are either in upward or downward direction only. Even if the photons are diagonally tilted at Alice’s end it comes out from the filter in either up or down direction.”
  4. Smart doorbells on business premises make your property more attractive to burglars, warns researcher
  5. NFT digital art is already attracting hackers – “Nifty Gateway, a marketplace where users can buy, sell and display digital items, said in a statement that it encourages users to use two-factor authentication (2FA) to prevent account takeovers and hacking, noting that none of the accounts that were affected had 2FA enabled. The company, said it has seen “no indication of compromise of the Nifty Gateway platform.””
  6. Magecart Attackers Save Stolen Credit-Card Data in .JPG File – “Specifically, Sucuri found that attackers injected PHP code into a file called ./vendor/magento/module-customer/Model/Session.php, then used the “getAuthenticates” function to load malicious code, Leal said. The code also created a .JPG file, which attackers used to store any data they captured from the compromised site, he said.”
  7. Latest Mirai Variant Targets SonicWall, D-Link and IoT Devices – Researchers are trying to match exploits to 0day vulnerabilities in Marai: “The exploits themselves include two RCE attacks — including an exploit targeting a command-injection vulnerability in certain components; and an exploit targeting the Common Gateway Interface (CGI) login script (stemming from a key parameter not being properly sanitized). The third exploit targets the op_type parameter, which is not properly sanitized leading to a command injection, said researchers.”
  8. Mom & Daughter Duo Hack Homecoming Crown – This was not really hacking, basically her Mom worked at the school and shared her creds with her daughter for the school management system: “On Oct. 31, Carroll’s daughter was crowned Homecoming Queen, but the victory was short-lived. The Washington Post said that before the vote window was closed, Election Runner sent an alert to the school warning that many of the votes were suspected to be fraudulent. Carroll’s daughter didn’t seem too worried about hiding the fraud, since she bragged to fellow students about the stolen votes. Arrest records document about 117 votes from the same IP address, which investigators were able to trace back to Carroll’s home and cellphone, the Post reported.”
  9. Can We Stop Pretending SMS Is Secure Now? – My question is how are they intercepting the messages on the backend and can’t the cell providers put a stop to this? ““It’s not a Sakari thing,” Lucky225 replied when first approached for more details. “It’s an industry-wide thing. There are many of these ‘SMS enablement’ providers.””
  10. SolarWinds hackers stole some of Mimecast source code
  11. Google Warns Mac, Windows Users of Chrome Zero-Day Flaw – So much 0day for Chrome this year: “Google is hurrying out a fix for a vulnerability in its Chrome browser that’s under active attack – its third zero-day flaw so far this year. If exploited, the flaw could allow remote code-execution and denial-of-service attacks on affected systems.” The problem is Chrome has become the new IE. Stuff just works in Chrome. Which I switch to Chromium or Edge, stuff doesn’t work. Firefox perhaps? Does it matter?
  12. Molson Coors discloses cyberattack disrupting its brewery operations – Water is essential for living: “On a global scale, cybercriminals will continue to focus their efforts on this revenue-generating stream. This reinforces what we’ve said before that no industry is exempt from the ransomware threat and it requires constant focus, assessment and review to ensure that critical information assets remain safeguarded and protected against it.”
  13. Critical Security Hole Can Knock Smart Meters Offline – “Schneider Electric’s PowerLogic ION/PM smart meter product line, like other smart meters, is used by consumers in their homes, but also by utility companies that deploy these meters in order to monitor and bill customers for their services. They’re also used by industrial companies, data centers and healthcare companies.”
  14. A Hacker Got All My Texts for $16 – Original article everyone is talking about.
  15. Exclusive: ‘Dumb mistake’ exposed Iranian hand behind fake Proud Boys U.S. election emails – Really dumb lol: “The video showed the hackers’ computer screen as they typed in commands and pretended to hack a voter registration system. Investigators noticed snippets of revealing computer code, including file paths, file names and an internet protocol (IP) address.”
  16. Defence review: UK could use Trident to counter cyber-attack – I don’t see cyber attack specifically being called out: “The new policy says Britain would “reserve the right” to use nuclear weapons in the face of “weapons of mass destruction”, which includes “emerging technologies that could have a comparable impact” to chemical or biological weapons.”
  17. Pwning the pen tester: Malicious Wireshark packet capture file risk revealed – “A discussion on source code management platform GitLab suggests the issue may have been introduced with changes to Wireshark made as long as 17 years ago. The root cause of the problem is that for some schemes, referenced files will be opened by the system’s standard application associated with a particular file type”
  18. Microsoft’s Azure SDK site tricked into listing fake package – Sloppy on Microsoft’s part: “However, the researcher has clarified this is not the result of dependency confusion but rather something much simpler. The researcher published the alexbirsantest package to npm and further added the npm account azure-sdk as a collaborator to his package, by following simple instructions laid out by npm. In this particular case, the “azure-sdk” accounts used on npm and GitHub appear to be bots configured to pick up any and all npm packages that these accounts were listed as collaborators for.”
  19. Paranoid Ninja on Twitter – This is just sloppy reporting and should be called out: https://www.securitynewspaper.com/2021/03/16/two-critical-zero-day-vulnerabilities-in-microsoft-office-365-allow-authentication-of-malicious-users/ Quote: “Paranoid Ninja ensures that cybercriminal groups often use these vulnerabilities to organize malicious campaigns aimed at users of this suite. In this regard, Microsoft will soon begin notifying users of its Office 365 service of hacking operations allegedly deployed by threat actors sponsored by foreign governments. “
  20. New Old Bugs in the Linux Kernel – Best article this week: “If you’re thinking “wait, is all of this just automatically up and running even if I don’t use SCSI or iSCSI?”, that’s great because that line of questioning would lead to you to the concept of on-demand kernel module loading and an attack vector that’s been around for a long time.”
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

3. Plextrac Mini-Series Episode 1: Purple Teaming – 08:30 PM-09:30 PM

Sponsored By

sponsor
Visit https://securityweekly.com/plextracseries for more information!

Description

The first episode of Security Weekly’s podcast mini-series with PlexTrac “Getting the Real Work Done in Cybersecurity” starts with PlexTrac’s bread and butter, Purple Teaming! The group – along with special guest Bryson Bort of SCYTHE – discuss the ins and outs of purple teaming. Topics covered on the show include the importance of collaboration within your security team, the idea of a milestone-based approach to security, purple teaming engagements, and much more.

This segment is sponsored by Plextrac.

Visit https://securityweekly.com/plextracseries to learn more about them!

Visit https://www.securityweekly.com/series to view the entire PlexTrac Mini Series!

Guest(s)

Bryson Bort

Bryson Bort – Founder & CEO at SCYTHE

@brysonbort

Bryson is the Founder and CEO of SCYTHE and Founder of GRIMM. Prior to launching SCYTHE and GRIMM, Bryson led an elite research & development (R&D) division that directly contributed towards National Security priorities and interest. Prior to that he developed an enterprise R&D program and supported creation of a cybersecurity strategy as a Deputy CTO and Program Director focused on supporting technology research and global infrastructure for the DoD and the Intelligence Community.

Hosts

DanDeCloss

Dan DeCloss

@wh33lhouse

Founder / CEO & President at PlexTrac

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

ShawnScott

Shawn Scott

@shawnhscott

Vice President of Success at PlexTrac