psw693

Paul’s Security Weekly Episode #693 – May 06, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Building a Risk-Based Vulnerability Management Program – 06:00 PM-06:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/coresecurity for more information!

Announcements

  • Security Weekly listeners save $100 on their RSA Conference 2021 All Access Pass! RSA Conference will be a fully virtual experience from May 17th-20th, 2021. Security Weekly will be live streaming Monday-Thursday in the virtual broadcast alley, interviewing some of the top sponsors and speakers for the event. To register using our discount code, please visit https://securityweekly.com/rsac2021 [securityweekly.com] and use the code 5U1CYBER! We hope to “see” you there!

Description

Risk-based vulnerability management is more than just a vulnerability scan or assessment. It incorporates relevant risk context and analysis to prioritize the vulnerabilities that pose the greatest risk to your organization This segment will explore the elements of a successful vulnerability management program and impactful ways to build upon your foundation.

Segment Resources:
https://www.coresecurity.com/blog/how-mature-your-vulnerability-management-program
https://www.coresecurity.com/blog/when-use-pen-test-and-when-use-vulnerability-scan
https://www.digitaldefense.com/blog/infographic-risk-based-vulnerability-management/

This segment is sponsored by Core Security, A Help Systems Company.

Visit https://securityweekly.com/coresecurity to learn more about them!

Guest(s)

Bob Erdman

Bob Erdman – Associate Director of Development at Core Security, a HelpSystems Company

@HelpSystems

Bob Erdman is Head of Product Management for Core Security’s Cyber Threat Solutions (CTS). With more than 25 years of experience in information technology, he has worked with global customers across the government, healthcare, financial, and military industries to help implement mission-critical technology. Bob is also a veteran of the United States Army National Guard and a current member of the U.S. Federal Bureau of Investigation’s InfraGard Cyber Health Working Group.

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. Biden Administration EO on Cyber – 07:00 PM-07:45 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

US Congressman Jim Langevin joins to talk about Executive Orders, International Interest in Cyber, & more in this gripping interview!

Guest(s)

Jim Langevin

Jim Langevin – US Congressman at US House of Representatives

@JimLangevin

Congressman Jim Langevin (LAN’-jih-vin) is a senior member of the House Armed Services Committee, where he is the Chairman of the Subcommittee on Cyber, Innovative Technologies, and Information Systems (CITI), and also serves on the Subcommittees on Seapower and Projection
Forces and Strategic Forces. A national leader on securing our nation’s technology infrastructure against cyber threats, Langevin co-founded the Congressional Cybersecurity Caucus to increase awareness around the issue and co-chaired the Center for Strategic and International Studies (CSIS) Commission on Cyber Security for the 44th Presidency, which made policy recommendations to President Obama.
As co-chair of the bipartisan Congressional Career and Technical Education Caucus, Langevin advocates to improve and increase access to training that gives students and workers the skills that best fit the needs of expanding industries. He has successfully fought for strong CTE funding under the Carl D. Perkins Vocational and Technical Education Act and, in Rhode Island, has worked to foster employer-educator partnerships and career training programs across a variety of career fields.

Langevin was inspired to enter public service by the tremendous outpouring of support he received during the most challenging time of his life, after a gun accident paralyzed him at age 16 and left him a quadriplegic. He is driven by a belief that everyone deserves a fair opportunity to make the most of their talents.

After serving as secretary for the state’s Constitutional Convention in 1986, Langevin won election to the Rhode Island House of Representatives, and in 1994, became the nation’s youngest Secretary of State.

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

3. Job Expectations, Pi Password Thief, Python Masscan, & Pingback – 08:00 PM-09:30 PM

Announcements

  • In our next technical training webcast on May 13th at 11am ET, see how attackers gain access to endpoints, and learn how to use defensive strategies to protect against those attacks! In our May 27th webcast at 11am ET, we’ll explore the latest attacks against DNS and the latest techniques that make it possible to discover and disrupt attacks. Then join our webcast on June 3 to learn about pen testing tools and why every organization should be using them regularly. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

This week in the Security Weekly News the crew talks: Pingback is back, was it ever really gone?, damn QNAP ransomeware, anti-anti-porn software, Qualcomm vulnerabilities, spreading pandas on Discord, the always popular Chinese APTs, exploits you should be concerned about, job expectations, westeal your crypto currency, quick and dirty python (without lists), new spectre attacks, Github says don’t post evil malware and more!

Hosts

DougWhite

Doug White

@dougwhitephd

Professor at Roger Williams University

  1. New Moriya rootkit used in the wild to backdoor Windows systems
  2. Qualcomm vulnerability impacts nearly 40% of all mobile phones
  3. BleepingComputer
  4. Global Phishing Attacks Spawn Three New Malware Strains
  5. New Crypto-Stealer ‘Panda’ Spread via Discord
LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

  1. An estimated 30% of all smartphones vulnerable to new Qualcomm bug
  2. They Told Their Therapists Everything. Hackers Leaked It All
  3. Review
  4. Shave 99.93% off your Lambda bill with this one weird trick
  5. Your Car Is Spying on You, and a CBP Contract Shows the Risks
  6. Pingback: Backdoor At The End Of The ICMP Tunnel
  7. Video: AirTag gets the teardown treatment, revealing how the speaker works and more – 9to5Mac
  8. I’ve just been HIT by a global ransomware attack, QNAP need to be held accountable for this
  9. Josh Duggar’s wife installed anti-porn software on his computer, but Duggar used anti-anti-porn software to download child porn, says fed agent
LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. New Windows ‘Pingback’ malware uses ICMP for covert communication – Researchers say they have identified a novel Windows malware sample dubbed “Pingback” that leverages ICMP for C&C communications and DLL hijacking to achieve persistence on targeted Windows 64-bit systems.
  2. U.S. Organizations Targeted by New Cybercrime Group With Sophisticated Malware – A new threat actor that appears to be financially motivated has targeted many organizations in the United States and other countries. The attacks involved three previously unseen pieces of malware tracked by FireEye as DOUBLEDRAG, DOUBLEDROP and DOUBLEBACK. DOUBLEDRAG is a downloader delivered in the first stage of the attack and which in some cases was replaced with a malicious Excel document that served as a downloader.

    DOUBLEDRAG is designed to connect to a C&C server and fetch DOUBLEDROP, a memory-only dropper that deploys DOUBLEBACK, a backdoor that is apparently still under development

  3. ATT&CK v9 Introduces Containers, Google Workspace – MITRE announced last week that the latest update to the popular ATT&CK framework introduces techniques related to containers and the Google Workspace platform. ATT&CK v9 includes another significant change that consolidates AWS, Azure, and Google Cloud Platforms into a single infrastructure-as-a-service (IaaS) platform.
  4. Utah County’s Online Marriage System Takes Off During Pandemic – Digital marriage licenses. Zoom ceremonies. Everyday citizens becoming wedding officiants. Utah County, Utah’s online marriage license system became a big hit after COVID-19 shut down most offices that issue marriage licenses.
  5. Exclusive: Hackers Break Into Glovo, Europe’s $2 Billion Amazon Rival – A cyber crime group breached its systems and began selling access to compromised customer and courier accounts on Amazon rival Spanish delivery service Glovo, just one month after announcing it had taken in $1 billion in funding and has plans to go public in a few years.
  6. Pulse Secure Patches Critical Zero-Day Flaw – Pulse Secure has released a patch addressing the critical authentication bypass vulnerability (CVE-2021-22893). Run the Pulse Secure Integrity Checker prior to patching.
  7. U.S. government probes VPN hack within federal agencies, races to find clues – The U.S. government says it is investigating a recently discovered supply chain attack in which attackers leveraged vulnerabilities affecting the Pulse Secure VPN to target more than a dozen federal agencies.
  8. ‘Tens of thousands’ of SIM cards hacked – Hackers are now claiming they have accessed “tens of thousands” of SIM cards following a cyber attack against telecommunications firm Schepisi Communications, which is self-described as a “platinum partner” of Melbourne-based Telstra that provides cloud storage and telephone numbers on behalf of Telstra.
  9. First Horizon Bank Customers Have Account Funds Drained – Using obtained credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 online customer bank accounts, had access to personal information in those accounts, and fraudulently obtained an aggregate of less than $1 million from some of those accounts.
  10. PoC exploit released for Microsoft Exchange bug dicovered by NSA – Technical documentation and proof-of-concept exploit (PoC) code is available for a high-severity vulnerability in Microsoft Exchange Server that could let attackers execute code on unpatched systems. Attackers can exploit CVE-2021-28482 if the are authenticated on an on-premises Exchange server instance not patched with Microsoft’s April update. A python based PoC exploit has been released.
  11. Contact Tracer Breach Hits the Keystone State – Pennsylvania DOH is accusing contact tracing company Insight Global, which was contracted to provide the state with “contact tracing and other services,” of willfully disregarding security protocols and exposing PHI and PII belonging to some 72,000 people.
  12. Stealthy RotaJakiro Backdoor Targeting Linux Systems – Chelle brought this to my attention. Previously undocumented piece of Linux malware dubbed “RotaJakiro” that functions as a backdoor and has gone undetected for at least three years have been spotted being used in attacks targeting Linux X64 systems.
  13. New micro-op cache attacks break all Spectre defences – Researchers at the universities of Virginia and California in the United States have devised new Spectre-style hardware attacks that make it possible to steal data when processes retrieve commands from their micro-ops caches.
  14. TurgenSec finds 345,000 files from Filipino solicitor-general’s office were breached – According to TurgenSec, the compromised documents include documents generated during daily operations, staff training, internal passwords and policies, staff payment information, information related to financial processes, and other activities such as audits.
  15. Chinese APT Actors Attack Russian Defense In An Espionage Attack – Tthe “PortDoor” backdoor developed by Anonymous is likely being leveraged by Chinese APT actors in phishing attacks targeting Russian firm Rubin Design Bureau, which builds submarines for the Russian Navy Federation. RoyalRoad is used by attackers to create weaponized RTF document designed to exploit three vulnerabilities (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) affecting Microsoft’s Equation Editor.
  16. CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws – SentinelLabs – Executive Summary SentinelLabs has discovered five high severity flaws in Dell’s firmware update driver impacting Dell desktops, laptops, notebooks and tablets. See also: https://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. 10 Exploits Cybersecurity Professionals are Concerned About – Not one open-source vulnerability on the list, not a bad list, but I am concerned about SSH, Exim and Kernel vulns.
  2. New Hires Speak Out about Cybersecurity Job Expectations – Security Boulevard – This: “One of the issues we discuss in the report is job descriptions and understanding, as an organization, which skills are needed for which roles,” said Clar Rosso, CEO for (ISC)2, in an email interview. For example, many introductory positions want applicants to hold industry certifications. However, said Rosso, it’s unrealistic to ask entry-level job seekers to hold a CISSP certification—a common certification listed for these jobs—since someone looking for an entry-level position is unlikely to have the requisite five years of experience the certification requires.”
  3. WeSteal, a shameless commodity cryptocurrency stealer available for sale – “A new cryptocurrency stealer dubbed WeSteal is available on the cybercrime underground, unlike other commodity cryptocurrency stealers, its author doesn’t masquerade its purpose and promises “the leading way to make money in 2021.” WeSteal is a Python-based malware that uses regular expressions to search for strings related to wallet addresses that victims have copied to their clipboard. “
  4. Calculating CVSS – So much room for interpretation!
  5. Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack
  6. Raspberry Pi Zero Password Thief – Neat: “The idea of pulling credentials from a locked computer isn’t new. There are commercial products that can do this like the USB Armory and the LAN Turtle. They do, however, cost quite a bit more than a Pi Zero and a USB board. There are trade offs; commercial devices may cost more but definitely look less suspicious, for example.”
  7. Experian API Leaks Most Americans’ Credit Scores – ““Shame on you Experian!” Nayyar said. “The credit-score data exposed as well as risk factors can be very successfully used to socially engineer money from people’s accounts. This data is personal and highly sensitive — just the sort of data cybercriminals use to gain credibility and sound convincing in their tactics. And all this due to an insecure API?””
  8. Apple Fixes Zero?Days Under Active Attack – “A critical memory-corruption issue in the Safari WebKit engine where “processing maliciously crafted web content may lead to arbitrary code execution” was addressed with improved state management.” – Webkit, yea, seems similar to Chrome and Firefox in terms of vulnerabilities.
  9. How to apply a Zero Trust approach to your IoT solutions – Microsoft Security – “Strong identity to authenticate devices. Register devices, issue renewable credentials, employ passwordless authentication, and use a hardware root of trust to ensure you can trust its identity before making decisions.” – I mean or you can just build backdoor credentials into your device right?
  10. Working with Webhooks: Security – “In the code above, we extract the X-Shopify-Hmac-SHA256 HTTP header from the request, create a hash based on the Hmac-SHA256 algorithm from the request body then compare both hashes. Lastly, go ahead and create a constant called secret which would hold the value of the secret Shopify returned to you when created a new webhook connection. You would want to store that as an environmental variable to ensure it is safe.” – Better to use a secrets manager, but this is better than one validating or encrypting webhooks (and the traffic via HTTPS).
  11. Quick and dirty Python: masscan – “Just recently I discovered there is a Python module for both masscan and nmap. So far I have only spent time on the masscan module. Suppose you needed a script which will find all the web servers (port 80, 443) in an address range. It took me about 5 minutes to code up scan_web.py.”
  12. New Attacks Slaughter All Spectre Defenses – “The vulnerability in question is called Spectre because it’s built into modern processors that perform branch prediction. It’s a technique that makes modern chips as speedy as they are by performing what’s called “speculative execution,” where the processor predicts instructions it might end up executing and prepares by following the predicted path to pull the instructions out of memory. If the processor stumbles down the wrong path, the technique can leave traces that may make private data detectable to attackers. One example is when data accesses memory: if the speculative execution relies on private data, the data cache gets turned into a side channel that can be squeezed for the private data through use of a timing attack. The new line of attacks exploits the micro-op cache: an on-chip structure that speeds up computing by storing simple commands and allowing the processor to fetch them quickly and early in the speculative execution process, as the team explains in a writeup from the University of Virginia. Even though the processor quickly realizes its mistake and does a U-turn to go down the right path, attackers can get at the private data while the processor is still heading in the wrong direction.”
  13. CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws – SentinelLabs – “The high severity flaws could allow any user on the computer, even without privileges, to escalate their privileges and run code in kernel mode. Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products. An attacker with access to an organization’s network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement.”
  14. Then a Hacker Began Posting Patients’ Deepest Secrets Online – “At around 4 pm, Jere checked Snapchat. An email notification popped up on his screen. His hands began to shake. The subject line included his full name, his social security number, and the name of a clinic where he’d gotten mental health treatment as a teenager: Vastaamo. He didn’t recognize the sender, but he knew what the email said before he opened it.”
  15. Python Lists are not good? – A case for arrays: “Python has a built-in module named ‘array‘ which is similar to arrays in C or C++. In this container, the data is stored in a contiguous block of memory. Just like arrays in C or C++, these arrays only support one data type at a time, therefore it’s not heterogenous like Python lists. The indexing is similar to lists. The type of the array has to be specified using the typecode provided in the official documentation”
  16. HackListX – A good list: “This is a list of Hacking Streamers derived from the original Hacklists here and here. While I continue to maintain those, there is a collaborative version here that motivated me to create this version while and learn new skills.”
  17. Python also impacted by critical IP address validation vulnerability – “The Python standard library ipaddress also suffers from the critical IP address validation vulnerability identical to the flaw that was reported in the “netmask” library earlier this year.”
  18. Github Exploits and malware policy updates – “Our existing language qualified on “active malware and exploits”, which was too broad in practice. Our intent is to narrow scope to “malware and exploits that are directly supporting unlawful activity”. ” – So like, you can carry a knife, but don’t like stab anyone or something. Legit software is used for unlawful activity too. Regulating content it hard.