psw688

Paul’s Security Weekly Episode #688 – March 25, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Taming Vulnerability Overload – 06:00 PM-06:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/ for more information!

Announcements

Description

Almost weekly, hackers discover and exploit vulnerabilities in popular programs like SolarWinds and Microsoft Exchange Server, impacting thousands. While it would be great to eradicate these vulnerabilities in the programs themselves, it is unlikely to happen any time soon. That’s why patching vulnerabilities quickly is important, yet even when patches are available, companies often fail to patch promptly. We’ll discuss barriers companies face that delay patching and Qualys’ experience with creating free services that help companies detect specific vulnerabilities and patching remotely for events like the SolarWinds and Microsoft Exchange incidents. The session will include a brief demo of Qualys free 60-day service to detect, prioritize, and patch vulnerable Exchange servers, and to detect environments missing compensating controls.

This segment is sponsored by Qualys.

Visit https://securityweekly.com/ to learn more about them!

Guest(s)

Mehul Revankar

Mehul Revankar – VP Product Management and Engineering, VMDR at Qualys

@MehulRevankar

Mehul is a cybersecurity professional with over 15 years of experience in Vulnerability Management, Policy Compliance and Security Operations. He leads the product management and engineering functions for VMDR (Vulnerability Management, Detection and Response) at Qualys. Before joining Qualys, Mehul led development of vulnerability and patch management products at SaltStack, and prior to that he led multiple research teams at Tenable.

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

JeffMan

Jeff Man

@MrJeffMan

Sr. InfoSec Consultant at Online Business Systems

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

2. Open Redirects – An Underestimated Vulnerability – 07:00 PM-07:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/netsparker for more information!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

Learn what redirects are, the different types, how they work and how they are exploited by attackers. Oh, also learn how to defend against redirect attacks!

Sven’s Slide Deck – Open Redirects: https://securityweekly.com/wp-content/uploads/2021/03/Netsparker-Sven-Morgenroth-3-25-21-Open-Redirect.pdf

This segment is sponsored by Netsparker.

Visit https://securityweekly.com/netsparker to learn more about them!

Presenter(s)

Sven Morgenroth

Sven Morgenroth – Security Researcher at Netsparker

@asdizzle_

Sven Morgenroth is a security researcher at Netsparker. He found filter bypasses for Chrome’s XSS auditor and several web application firewalls. He likes to exploit vulnerabilities in creative ways and has hacked his smart TV without even leaving his bed. Sven writes about web application security and documents his research on the Netsparker blog.

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

JeffMan

Jeff Man

@MrJeffMan

Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

3. DOOM Exploit, iPhone Deep Fakes, & 11 0-Days Infect Devices – 08:00 PM-09:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, and join our Discord Server!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

This week in the Security News: Doom exploit wins an award, a puzzle honors Alan Turing, anyone can create a deepfake, Jabber bugs, unquoted service paths, Nim malware, Deadly sins of secure coding, & are we living in the toughest time of Cybersecurity?

Register to attend Joff Thyer’s upcoming Wild West Hacking Fest course “Enterprise Attacker Emulation and C2 Implant Development”: http://bit.ly/JoffsC2Class

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

  1. Perspective: Anyone with an iPhone can make deep fakes
  2. Researchers design an AI-powered backpack for the visually impaired
  3. Microsoft: Ongoing, Expanding Campaign Bypassing Phishing Protections
  4. Microsoft Offers Up to $30,000 for Vulnerabilities in Teams Desktop Client
  5. Office 365 Cyberattack Lands Disgruntled IT Contractor in Jail
JeffMan

Jeff Man

@MrJeffMan

Sr. InfoSec Consultant at Online Business Systems

  1. GCHQ releases ‘most difficult puzzle ever’ in honour of Alan Turing – 12 riddles linked to new £50 note featuring the codebreaker may take seven hours to crack.
  2. Vulnerability Management Is Still a Mess – A topic of interest for me of late, so it’s good to get an alternative view from down the rabbit hole.
  3. Facebook shuts down hackers who infected iOS and Android devices – Social media platform used to spread malware that spied on Uyghurs.
  4. California Controller’s Office suffers data breach after employee fell for phishing email – “The data breach was caused by a phishing attack in which an employee of the State Controller’s Office Unclaimed Property Division clicked on a link in an email and then entered a user ID and password as prompted.” Okay, everyone is going to get phished. But sharing credentials??? That’s on the Security Awareness Program IMO.
  5. SaltStack revises partial patch for command injection, privilege escalation vulnerability – The second fix was reportedly necessary after SaltStack did not participate in coordinated disclosure.
  6. Security researcher launches GoFundMe campaign to fight legal threat over vulnerability disclosure – A security researcher has launched a GoFundMe campaign to secure legal representation after a responsible disclosure notice apparently went sour.
JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Forex Broker Leaks Millions of Customer Records Online – A misconfigured, unsecured cloud database belonging to Belize-based forex broker FBS has been found exposed online containing more than 20TB of sensitive customer data.
  2. CNA insurance firm hit by a cyberattack, operations impacted – CNA Financial has disclosed it suffered a “cyberattack” that forced the company to shut down specific systems and take down its website to minimize the attack’s impact.
  3. Shell Latest to Fall to Accellion FTA Exploits – Shell has disclosed it suffered a data breach after an unauthorized individual leveraged vulnerabilities affecting its Accellion FTA and gained access to files containing PII belonging to those working with the company.
  4. Adobe Patches Critical ColdFusion Security Flaw – Adobe has released an urgent patch for a potentially dangerous security vulnerability in Adobe ColdFusion, the fix requires updating both the server and JRE/JDK.
  5. MangaDex manga site temporarily shut down after cyberattack – MangaDex has temporarily taken its site down after a malicious actor managed to access an admin, a developer account, and its source code on March 17. A malicious actor had managed to gain access to an admin account through the reuse of a session token found in an old database leak through faulty configuration of session management.
  6. Computer giant Acer hit by $50 million ransomware attack – March 18, 2021, the “REvil” ransomware group announced on its data leak site that it had breached systems belonging to New Taipei City, Taiwan-based electronics and hardware manufacturer Acer; stole an array of documents that included bank balances, bank communications, and financial spreadsheets; and demanded the company pay $50 million USD in ransom.
  7. China Bans Tesla Cars From Entering Military Locations and Housing Compounds – China has decided that Tesla vehicles pose a threat following concern over the multiple cameras each contains and the sensitive data they are capable of recording. With that in mind, the military has banned Elon Musk’s cars from entering any Chinese military complexes or housing compounds.
  8. XcodeSpy Mac malware targets Xcode Developers with a backdoor – Researchers say they have spotted attackers leveraging a Trojanized version of the Xcode Project’s malicious XcodeSpy in a series of attacks designed to infect IOS developers’ systems with a variant of the “EggShell” backdoor. This had previously been reported as Redpanda in June 2020 by Mandiant.
  9. “Expert” hackers used 11 zerodays to infect Windows, iOS, and Android users – As part of a nine-month-long, “highly sophisticated” hacking campaign, a team of advanced hackers reportedly exploited at least 11 zero-day vulnerabilities using compromised websites in order to infect fully patched devices running Android, iOS, and Windows.
  10. Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military – Charleston, S.C.-based surveillance contractor The Ulysses Group is reportedly looking to sell the U.S. military a new product it asserts is capable of obtaining the real-time locations of specific vehicles anywhere on earth leveraging data collected and sent by car sensors.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Arbitrary code execution in DOOM – From the Git repo: “This example only works in version 1.9 The Ultimate Doom. That is, no Doom2, no The Final Doom or Anthology. (Why is there so many different 1.9 versions?)” – This is super cool, I don’t remember enough about DoS-based Doom games, but it’s cool. It won an award, yes, they have a Doom hack award thing. I never knew that was a thing, but I also think it’s really cool! Awards: https://www.doomworld.com/cacowards/2020/others/ (Machaward – Most creative, unusual, or artistically compelling project of the year: Arbitrary Code Execution – @kgsws)
  2. CISA releases CHIRP, a tool to detect SolarWinds malicious activity – “Similar to Sparrow, CHIRP scans for signs of APT compromise within an on-premises environment, by default it searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A alerts. The CHIRP tool allows to examine Windows event logs for artifacts associated with this activity, Windows Registry for evidence of intrusion, query Windows network artifacts, and apply YARA rules to detect malware, backdoors, or implants.”
  3. Critical Cisco Jabber Bug Could Let Attackers Hack Remote Systems – “CVE-2021-1411, which concerns an arbitrary program execution vulnerability in its Windows app, is also the most critical, with a CVSS score of 9.9 out of a maximum of 10. According to Cisco, the flaw is due to improper validation of message content, thus making it possible for an attacker to send specially-crafted XMPP messages to the vulnerable client and execute arbitrary code with the same privileges as that of the user account running the software.”
  4. Ext2Fsd v0.68 – ‘Ext2Srv’ Unquoted Service Path – I would think MS Defender could catch these? https://www.commonexploits.com/unquoted-service-paths/
  5. Review: OpenBSD 6.8 on 8th Gen Lenovo ThinkPad X1 Carbon 13.3″ – This is pretty brave: “10 days ago, I bought this X1 Carbon. I immediately installed OpenBSD on it. It took me a few days to settle in and make myself at home, but here are my impressions.”
  6. Nim Strings (Extracting Strings From Nim) – “Internally, strings in the Nim programming language are stored inside a structure (STRING_LITERAL) that consists of 2 integers followed by the string.” And now thanks to Didier we have a Python script to extract them. Nim is interesting: “Nim is an imperative, general-purpose, multi-paradigm, statically typed, systems, compiled programming language[7] designed and developed by Andreas Rumpf. It is designed to be “efficient, expressive, and elegant”,[8] supporting metaprogramming, functional, message passing,[5] procedural, and object-oriented programming styles by providing several features such as compile time code generation, algebraic data types, a foreign function interface (FFI) with C, C++, Objective-C, and JavaScript, and supporting compiling to those same languages.” https://en.wikipedia.org/wiki/Nim_(programming_language)
  7. Mozilla Firefox 87 Out With New Default Referrer Policy For More Privacy – “Starting with Firefox 87, we set the default Referrer Policy to ‘strict-origin-when-cross-origin’ which will trim user sensitive information accessible in the URL. As illustrated in the example above, this new stricter referrer policy will not only trim information for requests going from HTTPS to HTTP but will also trim path and query information for all cross-origin requests. With that update, Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience.
    Attribution link: https://latesthackingnews.com/2021/03/24/mozilla-firefox-87-out-with-new-default-referrer-policy-for-more-privacy/”
  8. Hackers Exploit Telegram API For Server-Side Data Exfiltration – “The researchers caught the malicious code running on the login page (wp-login.php) of a WordPress website. This placement allowed the attackers to steal the users’ credentials directly. In the case of admins, such data theft directly leads to website takeover.” and “The attacker uses file_get_contents to make their remote request to Telegram’s API URL, allowing them to transmit the stolen data without leaving much evidence of the exfiltration on the server. Adding this feature also allows the attacker to access the stolen data in real-time, instead of having to check a text file for any captured information/.”
  9. Microsoft Exchange ProxyLogon Remote Code Execution – And now there’s a Metasploit module/exploit…
  10. Deadly Sins of Secure Coding – “Gluttony — We’ve implemented our own framework. It’s really hard to attack, Relying on Assumptions & Happy Paths — It’s an edge case, Obscurity — How will they know, to attack here?, Blame — It’s your fault!”
  11. State prosecutors push Facebook, Twitter to do more to slow virus misinformation – “Bad actors and grifters have been spreading misinformation about vaccines on social media, including on Facebook and Twitter, for years. Some of the most infamous purveyors of vaccine and infectious diseases misinformation have been Russian government-backed trolls linked to the Internet Research Agency (IRA), the same entity that U.S. officials have said interfered in the 2016 presidential election.”
  12. The Toughest Time of Cybersecurity – “When considering cybersecurity, we need to understand it operates according to a different set of rules than the physical world. We keep distance, set borders as physical security controls. But in cyberspace, the concepts like distance, borders, and proximity all operate differently, which has profound security implications.” “One thing in common between SUNBURSTS and the recent zero-day attacks on Microsoft Exchange is that they are both found to have been state-sponsored. ” and then alert fatigue and skill shortage = bad news for cybersecurity.
  13. Hackers used 11 Zero-Days to Attack Windows, iOS, Android Users – What were they after? Something good in order to burn 11 0days. “Malware trackers at Google keep on pointing out a complex APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and gadgets. The group has effectively utilized “watering hole” assaults to divert explicit targets to a couple of exploit servers conveying malware on Windows, iOS, and Android gadgets.”
  14. The most common on premises vulnerabilities & misconfigurations – “In this blog post I’m gonna cover the in my opinion most common findings in a Windows Active Directory environment, which can be found and abused for Privilege Escalation and Lateral Movement in such a project. It’s about on premises vulnerabilities and misconfigurations in an internal company environment as well as mitigations.”