psw690

Paul’s Security Weekly Episode #690 – April 08, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. nzyme – Free & Open WiFi Defense System – 06:00 PM-06:45 PM

Announcements

  • Our next live webcast will be on April 29th at 11am ET where you will learn how to prepare for & prevent modern ransomware attacks! Our next technical training will be on May 6th at 11am ET. This technical training webcast will explore common misconfigurations of NGINX, the damage they could do, and how to avoid them. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

Nzyme is a new kind of WiFi IDS (WIDS) that detects adversaries by looking at hard to spoof characteristics of an attacker. Existing WIDS tend to look at extremely easy to spoof metadata like channels or BSSIDs. The new approach of nzyme looks at hardware fingerprints and physical attributes like signal strengths. For example, it constantly tries to follow the signal “track” of every WiFi access point in range and alerts once a second track appears because this is most likely someone spoofing the legitimate access point from a different location.

Segment Resources:
https://www.nzyme.org/

Register for Joff’s Fun Regular Expressions class here:
https://bit.ly/JoffReLife

Guest(s)

Lennart Koopmann

Lennart Koopmann – CTO at Graylog, Inc

@_lennart

Lennart founded Graylog as an Open Source project in 2009 to meet the needs of application developers, DevOps, and IT Ops teams. Since that time, he has led the transformation of Graylog into a robust enterprise application and established the company’s product and technology platform as one of the leading centralized log management solutions.

In his free time, he enjoys amateur boxing and working on his free and open WiFi IDS project nzyme.

Hosts

JeffMan

Jeff Man

@MrJeffMan

Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. Lessons Learned When Migrating from On Prem to Cloud – 07:00 PM-07:45 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

Less than 15% of enterprise customers are primarily cloud native. With so many companies still in early stages of cloud migration, what are the key lessons learned from early adopters as well as digitally native companies? What are common mistakes and how can one avoid them?

Register for Joff’s Fun Regular Expressions class here:
https://bit.ly/JoffReLife

Guest(s)

Dutch Schwartz

Dutch Schwartz – Principal Security Specialist at Amazon Web Services

@dutch_26

Dutch Schwartz has 25 years of experience in technology from startups to five Fortune 500 companies. He’s recognized as a thought leader in cybersecurity and his LinkedIN content had over 130k views in 2020. A sought-after speaker, he’s a frequent panelist and podcast guest on topics including the benefits of cloud security, how to create a culture of security, and how to break into cybersecurity. Having worked with more than 50 CISOs of Fortune 500 companies to create cybersecurity solutions, he understands the evolution of CISO responsibilities and the challenges which security teams face. Dutch holds a Master’s of Business Administration in Global Management and was a strategy and planning officer in the US Army. He melds his formal training with his practical experience in cybersecurity to develop cloud security strategies for customers of Amazon Web Services.

Hosts

JeffMan

Jeff Man

@MrJeffMan

Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Senior Managing Consultant and Director of Research at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

3. Facebook Dump, Hacking Your Dishwasher, Zoom 0-Click Exploit, & Ubiquity Response – 08:00 PM-09:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

Description

This week in the Security News, Polish blogger sued after revealing security issue in encrypted messenger, The Facebook dump and Have I Been Pwned, LinkedIn and more_eggs, APTs targeting Fortinet, SAP Applications Are Under Active Attack again, Is your dishwasher trying to kill you?, Ubiquiti All But Confirms Breach Response Iniquity, Cyber Threat Analysis, 11 Useful Security Tips for AWS and other stuff too, Signal Adds Cryptocurrency Support and Not everyone is a fan, Zoom 0-click exploit, when firmware attacks, attackers blowing up Discord.

Register for Joff’s Fun Regular Expressions class here:
https://bit.ly/JoffReLife

Hosts

JeffMan

Jeff Man

@MrJeffMan

Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Senior Managing Consultant and Director of Research at InGuardians

  1. Polish blogger sued after revealing security issue in encrypted messenger
  2. Windows XP makes ransomware gangs work harder for their money
  3. The Facebook Phone Numbers Are Now Searchable in Have I Been Pwned
  4. Police say they found mafia fugitive on YouTube, posting cooking tutorials
  5. Update on campaign targeting security researchers
  6. Child tweets gibberish from US nuclear-agency account
LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Office Depot Configuration Error Exposes One Million Records – A misconfigured Elasticsearch server has been found exposed online without a password and containing approximately one million records that included customers’ PII. Information reportedly included victims’ full names, phone numbers, home addresses, office addresses, @members.ebay addresses, marketplace logs, order histories, and hashed passwords.
  2. New wormable Android malware poses as Netflix to hijack WhatsApp sessions – The fraudulent FlixOnline” app promised global “unlimited entertainment” and two months of a premium Netflix subscription for free due to the pandemic. Once downloaded, however, the malware ‘listens in’ on WhatsApp conversations and auto-responds to incoming messages with malicious content.

    Upon installation, the app asks for overlay permissions — a common ingredient in the theft of service credentials — as well as Battery Optimization Ignore, which stops a device from automatically closing down software to save power.

  3. The DOTGOV Act: Local Cybersecurity a National Imperative – As the federal .gov program moves under CISA’s jurisdiction, the time is right to ensure more cities and counties transition to a .gov domain and take advantage of being seen as a government entity. Currently, just 10 percent of local governments have a .GOV domain.
  4. LinkedIn Phishing Ramps Up With More-Targeted Attacks – The spear phishing campaign tries to manipulate LinkedIn users into clicking on a malicious ZIP file that installs a fileless backdoor Trojan known as more_eggs.
  5. APTs targeting Fortinet, CISA and FBI warn – The FBI and the CISA have issued a joint alert about APT actors scanning on ports 4443, 8443 and 10443 for known vulnerabilities in Fortinet FortiOS SSL VPNs. See also https://www.ic3.gov/Media/News/2021/210402.pdf
  6. VMware fixes authentication bypass in Carbon Black Cloud Workload appliance – VMware has addressed a critical vulnerability, CVE-2021-21982, in the VMware Carbon Black Cloud Workload appliance that could be exploited by attackers by manipulating a URL in the admin interface to bypass authentication.
  7. 533 Million Facebook Users’ Phone Numbers and Personal Data Leaked Online – PII belonging to roughly 533 million Facebook users around the world that was initially compromised by exploiting a Facebook vulnerability in 2019 has been leaked on a popular cyber crime forum and made accessible free of charge.
  8. Clop Ransomware operators plunder US universities – Accellion FTA used by universities to share information, “Clop” ransomware operators leaked PII and financial data belonging to students and staff stolen from Stanford Medicine, the University of California, and University of Maryland Baltimore (UMB).
    Range of sites with data published: https://i1.wp.com/securityaffairs.co/wordpress/wp-content/uploads/2021/04/image.png?ssl=1
  9. Personal data of 30,000 users of NTUC’s e2i training and job matching services may have been breached
  10. Malware attack on Applus blocked vehicle inspections in some US states – Vehicle inspections in eight U.S. states (Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin) were interrupted after provider Applus Technologies suffered a cyber attack on March 30 that forced it to disconnect its IT systems from the Internet to prevent the malware infection from spreading.
  11. Watch Out! Mission Critical SAP Applications Are Under Active Attack – Attackers are now actively targeting unsecured SAP applications in campaigns designed to steal sensitive data and sabotage critical processes. CVE-2020-6287 and CVE-2020-6207 are rated as High-risk due to the potential to gain remote unauthorized system access.
  12. Hackers From China Target Vietnamese Military and Government – “Cycldeck” group has been linked to a cyber espionage campaign that took place between June 2020 and January 2021 and targeted Vietnamese government and military organizations. Likely result of Vietnamese efforts to block China’s expansion into the South China Sea.
  13. EtterSilent maldoc builder used by top cybercriminal gangs – EtterSilent includes features that allow it to bypass Microsoft Defender, Windows Antimalware Scan Interface (AMSI), and popular email services, including Gmail. EtterCell documents, created by the EtterSilent builder, are downloader payloads that use Excel 4.0 macro functions to download and execute malicious payloads.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. What Are The Fundamentals of a Domainless Enterprise? – JumpCloud
  2. LinkedIn and LOLBINs – “a phishing campaign which used job titles scraped from user profiles to convince victims to open and execute evil files and links, which in this case, used an attack tool called more_eggs. The eggy script executes in memory and uses native binaries (“living off the land”) to foil detection efforts.”
  3. Is your dishwasher trying to kill you? – There is an interesting balance between physical harm and monetary gain, though they could relate when it comes to IoT security. Poisoning water is one thing, ransomawaring your dishwasher is another thing. Will they intersect?
  4. Ubiquiti All But Confirms Breach Response Iniquity – Krebs on Security – New statements (mostly more hand-waving), Krebs says: “Ubiquiti’s statement largely confirmed the reporting here by not disputing any of the facts raised in the piece. And while it may seem that Ubiquiti is quibbling over whether data was in fact stolen, Adam said Ubiquiti can say there is no evidence that customer information was accessed because Ubiquiti failed to keep logs of who was accessing its databases.”
  5. Zero Trust creator talks about implementation, misconceptions, strategy – Help Net Security
  6. OpenBSD OpenSMTPD 6.6 Remote Code Execution
  7. Light Roast 102: Cyber Threat Analysis – This is an interesting role, curious to see how it’s developing. Who monitors assets and threats? What role, if any, should security play in operations?
  8. Chinese Hackers Selling Intimate Stolen Camera Footage
  9. Vulnerabilities in ICS-specific backup solution open industrial facilities to attack
  10. 11 Useful Security Tips for Securing Your AWS Environment – Few are actually only relevant to AWS…
  11. Signal Adds Cryptocurrency Support – Schneier on Security – Not everyone is a fan: “I think this is an incredibly bad idea. It’s not just the bloating of what was a clean secure communications app. It’s not just that blockchain is just plain stupid. It’s not even that Signal is choosing to tie itself to a specific blockchain currency. It’s that adding a cryptocurrency to an end-to-end encrypted app muddies the morality of the product, and invites all sorts of government investigative and regulatory meddling: by the IRS, the SEC, FinCEN, and probably the FBI.”
  12. $200,000 Awarded for Zero-Click Zoom Exploit at Pwn2Own – Update from Zoom: “We thank the Zero Day Initiative for allowing us to sponsor and participate in Pwn2Own Vancouver 2021, an event highlighting the critical and skillful work performed by security researchers. We take security very seriously and greatly appreciate the research from Computest. We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target’s same organizational account. As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center.”
  13. Should firms be more worried about firmware cyber-attacks? – “Its survey of 1,000 cyber-security decision makers at enterprises across multiple industries in the UK, US, Germany, Japan and China has revealed that 80% of firms have experienced at least one firmware attack in the past two years. Yet only 29% of security budgets have been allocated to protect firmware.” – I actually believe the 29% to be much lower.
  14. Attackers Blowing Up Discord, Slack with Malware – All kinds of abuse! ““Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” they said. The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network, they added.”
  15. Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks
  16. Library Dependencies and the Open Source Supply Chain Nightmare – “It’s a devil’s bargain,” Contrast’s co-founder and CTO Jeff Williams told SecurityWeek, “because the farther you get behind, the harder it is to get back up to date. So, you accrue technical debt if you don’t keep your libraries patched. But commercial companies are focused on rolling out new features and they don’t want to do those library updates if they don’t absolutely have to.”
  17. FBI, CISA warn Fortinet FortiOS vulnerabilities are being actively exploited – Should the NSA help monitor and thwart attacks without the 4th Amendment handcuffs? – “The U.S. Constitution’s Fourth Amendment bars the government from domestic surveillance unless a crime is suspected. But in the digital age, these U.S. privacy protections have an unintended consequence. They help hide foreign intelligence agencies that can disguise their tracks and make it appear as if they are operating from inside the U.S.”
  18. After A Major Hack, U.S. Looks To Fix A Cyber ‘Blind Spot’
  19. ‘Anomalous surge in DNS queries’ knocked Microsoft’s cloud off the web last week
  20. New vulnerabilities discovered allow access to user data and complete takeover – “Web server: allows a remote attacker with access to the web server (default port 8080) to execute arbitrary shell commands, without prior knowledge of the web credentials. DLNA server: allows a remote attacker with access to the DLNA server (default port 8200) to create arbitrary file data on any (non-existing) location, without any prior knowledge or credentials. It can also be elevated to execute arbitrary commands on the remote NAS as well.”
  21. RootMy.TV: Coming soon! (Developer “pre-release” available now!) – “TL;DR; If you want root on any* current WebOS LG TV, do not install updates for the time being, and wait patiently. If you’re a developer or researcher, read the latest update below.”
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security