psw694

Paul’s Security Weekly Episode #694 – May 13, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. How Hacking Naked Changed My Life – 06:00 PM-06:45 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Description

“I hack naked” – Not my best choice of a phrase to use with a prospective client though, now that it is done, might as well go through with this terrible idea… This is the story of a kick-off call I had early in my career that revealed a truth that changed the way I present myself in professional settings.

Segment Resources:
https://youtube.com/alexchaveriat

Guest(s)

Alex Chaveriat

Alex Chaveriat – Chief Innovation Officer at Tuik Security Group

@alexchaveriat

My name’s Alex. I’m a hacker and information security geek. I love looking at cybersecurity through the lens of an attacker and solving problems. I am always striving to become a more knowledgeable and happier hacker.

I am a professional hacker living in the US with about 15-years of cybersecurity, ethical hacking, and penetration testing experience. I co-founded a company named Tuik Security Group that is growing and thriving. I am a lifelong learner that loves geeking out about new things and recently started a YouTube channel (https://youtube.com/alexchaveriat) to share my passions and stories. Subscribe and Hack on!

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. Attack Surface Mapping w/ AMASS – 07:00 PM-07:45 PM

Announcements

  • Security Weekly listeners save $100 on their RSA Conference 2021 All Access Pass! RSA Conference will be a fully virtual experience from May 17th-20th, 2021. Security Weekly will be live streaming Monday-Thursday in the virtual broadcast alley, interviewing some of the top sponsors and speakers for the event. To register using our discount code, please visit https://securityweekly.com/rsac2021 [securityweekly.com] and use the code 5U1CYBER! We hope to “see” you there!

Description

Learn how to use Amass to collect information about your Internet exposed assets. We’ll cover usage of the configuration file (heavily), then put it altogether by integrating Nmap and a screenshot tool called Eyewitness.

Download the Amass technical segment details (including all commands) here: https://securityweekly.com/amasstechsegment/

Segment Gallery



Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

3. Executive Order, New & Old Wifi Vulns, Pipeline Hack, & Distro-Less Linux – 08:00 PM-09:30 PM

Announcements

  • In our May 27th webcast at 11am ET, we’ll explore the latest attacks against DNS and the latest techniques that make it possible to discover and disrupt attacks. In our June 3 webcast at 11am ET, you will learn about pen testing tools and why every organization should be using them regularly. Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

This week in the Security News: President Biden issues a 34-page executive order on Cybersecurity, Did you hear about the pipeline hack?, New/Old Wifi vulnerabilities, get this Apple didn’t want to talk about a malware attack that exposed users, fake Amazon review database, why ad-hoc scanning is not enough, distroless linux, wormable windows bug, codered 2.0 perhaps?, and the cryptowars continue!

Hosts

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Executive Order on Improving the Nation’s Cybersecurity – Policy Updates, Increased Threat Sharing, Modernizing Federal Cybersecurity, Supply Chain Security, Improved Detection and Response, NSS requirements, and more.
  2. Cyberattack Forces a Shutdown of a Top U.S. Pipeline – The operator, Colonial Pipeline, said it had halted systems for its 5,500 miles of pipeline after being hit by a ransomware attack. They shut down the pipeline, which it says carries 45 percent of the East Coast’s fuel supplies, in an effort to contain the breach.
  3. All Wi-Fi devices impacted by new FragAttacks vulnerabilities – Newly discovered Wi-Fi security vulnerabilities collectively known as FragAttacks (fragmentation and aggregation attacks) are impacting all Wi-Fi devices back to 1997. Three of the flaws are reported to be related to the Wi-Fi 802.11 standard design, while others are reported as programming mistakes in Wi-Fi products.
  4. Researchers track down five affiliates of DarkSide ransomware service – Researchers have provided the details of an investigation into cyberattacker activity linked to DarkSide ransomware. On Tuesday, FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the RaaS network responsible for the Colonial Pipeline security incident.
  5. US and Australia warn of escalating Avaddon ransomware attacks – The FBI and the ACSC have issued a warning about an ongoing “Avaddon” ransomware campaign targeting organizations operating in the government, finance, energy, manufacturing, and healthcare industries around the world.
  6. Hackers target Windows users exploiting a Zero-Day in Reader – Adobe has confirmed that hackers are actively exploiting a use-after-free memory corruption vulnerability (CVE-2021-28550) affecting its Adobe Reader for Windows in limited attacks in order to execute arbitrary code on targeted systems.
  7. Russian Actors Change Techniques After UK and US Agencies Expose Them – After having its TTPs outed last month by U.K. and U.S. security agencies, APT29 has responded to the exposure by leveraging red-teaming software to infiltrate victims’ networks under the guise of conducting a trusted pentesting exercise.
  8. Facebook removes Ukraine political ‘influence-for-hire’ network – Facebook has taken down a network of hundreds of fake accounts and pages targeting people in Ukraine and linked to individuals previously sanctioned by the United States for efforts to interfere in US elections, the company said on Thursday.
  9. Microsoft Detected a BEC Campaign Targeted at More than 120 Organizations – Microsoft says it has uncovered a large-scale BEC program leveraging typo-squatted domains that are designed to make bogus emails appear to originate from legitimate senders in the consumer products, process manufacturing, agriculture, real estate, distinct manufacturing, and professional services industries in attacks targeting more than 120 organizations.
  10. CISA MAR report provides technical details of FiveHands Ransomware – U.S. CISA has published an analysis of the FiveHands ransomware, the same malware that was analyzed a few days ago by researchers from FireEye’s Mandiant Threat Intelligence. Group “UNC2447” exploited a zero-day issue (CVE-2021-20016) affecting SonicWall Secure Mobile Access (SMA) devices that had not been patched.
  11. New tsuNAME Flaw Could Let Attackers Take Down Authoritative DNS Servers – Researchers disclosed a new and critical vulnerability dubbed “TsuNAME” on May 6 that affects DNS resolvers and could be exploited by attackers to conduct reflection-based DoS attacks targeting authoritative nameservers.
  12. CaptureRx Data Breach Impacts Healthcare Providers – Three U.S. healthcare providers have disclosed they suffered a data breach after San Antonio, Texas-based healthcare technology firm CaptureRx experienced a ransomware attack on Feb. 6.
  13. City of Tulsa, is the latest US city hit by ransomware attack – The city of Tulsa, Okla. has revealed it suffered a ransomware attack on May 7 that impacted its government network as well as a portion of its infrastructure and forced it to shut down its official website last weekend.
  14. City of Chicago Emails Compromised During Data Transfer To Law Firm – The city of Chicago on Friday said that employee emails were stolen in a Jones Day data breach during a data transfer to Accellion’s FTA file sharing service.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Apple kept mum about XcodeGhost malware attack against 128M users – “according to a new report, emails presented during the Epic Games vs. Apple court proceedings have revealed startling new details on that particular attack. It turns out that nearly 128 million iOS users downloaded the apps containing the XcodeGhost malware. Reportedly, Apple kept this malware attack a secret and didn’t share the impact’s full details.”
  2. Leaky database exposes fake Amazon product reviews scam – “The IT security researchers at SafetyDetectives discovered a China-based ElasticSearch server publicly available online without any security authentication. The researchers claim that this misconfigured database helped them unearth a well-organized scheme of Amazon vendors to produce fake reviews for their products on the website.”
  3. A Closer Look at the DarkSide Ransomware Gang – Krebs on Security – Darkside got $5 million from Colonial, others paid even more: “DarkSide has shown itself to be fairly ruthless with victim companies that have deep pockets, but they can be reasoned with. Cybersecurity intelligence firm Intel 471 observed a negotiation between the DarkSide crew and a $15 billion U.S. victim company that was hit with a $30 million ransom demand in January 2021, and in this incident the victim’s efforts at negotiating a lower payment ultimately reduce the ransom demand by almost two-thirds.”
  4. Ad-hoc scanning is not enough – I agree: “Don’t just run a scan with every major release. Instead, make it a regular element of your staging cycle. Use vulnerability management and vulnerability assessment capabilities as well as easy integration options to automatically create tickets for every vulnerability that exceeds a certain severity threshold. Automatically retest vulnerabilities after the software is amended by the developers and re-deployed in staging.” – This is a different way to think about vuln management, operationalize it, don’t run ad-hoc scans, always be scanning!
  5. 10 Things You Might Not Know About Cyber Essentials
  6. Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations – “The Babuk group is said to have stolen 250GB of data, including investigation reports, arrests, disciplinary actions, and other intelligence briefings.Like other ransomware platforms, DarkSide adheres to a practice called double extortion, which involves demanding money in return for unlocking files and servers encrypted by the ransomware, as well as for not leaking any data stolen from the victim prior to cutting off access to them.”
  7. Google open sources cosign tool for verifying containers – I like this concept: “The tool was developed in collaboration with the Linux Foundation’s sigstore project. The IT giant used the tool to sign its Distroless images and the users could verify them using the cosign tool. “Distroless” images only contain the user’s application and its runtime dependencies, they do not contain package managers, shells, or any other programs that are ordinarily present in a standard Linux distribution.” – I don’t agree with many choices being made by the variety of Linux distros. They all make DIFFERENT decisions, which is hurting Linux in a big way.
  8. FragAttacks vulnerabilities expose all WiFi devices to hack – This concept is not new: “Several implementation flaws can be abused to easily inject frames into a protected Wi-Fi network. In particular, an adversary can often inject an unencrypted Wi-Fi frame by carefully constructing this frame. This can for instance be abused to intercept a client’s traffic by tricking the client into using a malicious DNS server as shown in the demo (the intercepted traffic may have another layer of protection though). Against routers this can also be abused to bypass the NAT/firewall, allowing the adversary to subsequently attack devices in the local Wi-Fi network (e.g. attacking an outdated Windows 7 machine as shown in the demo).” Supposedly this was in Wifitap? https://tools.kali.org/wireless-attacks/wifitap
  9. AWS configuration issues lead to exposure of 5 million records – “AWS Systems Manager automates operational tasks across AWS resources by creating SSM documents. The SSM documents, created in JSON or YAML, contain the operations that an AWS Systems Manager will perform on the cloud assets. By default, SSM documents are private, but can be configured to be shared with other AWS accounts or publicly. AWS provides best practices for shared SSM documents.” https://research.checkpoint.com/2021/the-need-to-protect-public-aws-ssm-documents-what-the-research-shows/
  10. Biggest ISPs paid for 8.5 million fake FCC comments opposing net neutrality – “It was clear before Pai completed the repeal in December 2017 that millions of people—including dead people—were impersonated in net neutrality comments. Even industry-funded research found that 98.5 percent of genuine comments opposed Pai’s deregulatory plan. But today’s report reveals more details about how many comments were fake and how the broadband industry was involved.”
  11. Biden signed executive order to improve the Nation’s Cybersecurity – What does everyone think about this?
  12. Jenkins Attack Framework – Neat: “The Jenkins Attack Framework automates and simplifies many common Jenkins attack and introduces some new techniques which are likely not well known in the offensive security community before now. “
  13. Shining a Light on DARKSIDE Ransomware Operations – “We believe that threat actors have become more proficient at conducting multifaceted extortion operations and that this success has directly contributed to the rapid increase in the number of high-impact ransomware incidents over the past few years. Ransomware operators have incorporated additional extortion tactics designed to increase the likelihood that victims will acquiesce to paying the ransom prices. As one example, in late April 2021, the DARKSIDE operators released a press release stating that they were targeting organizations listed on the NASDAQ and other stock markets. ”
  14. All Wi-Fi devices impacted by new FragAttacks vulnerabilities
  15. Wormable Windows Bug Opens Door to DoS, RCE – ““If exploited, this vulnerability could enable an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP protocol stack (http.sys) to process packets and ultimately, execute arbitrary code, and take control of the affected system,” Eric Feldman, cybersecurity researcher with Automox, wrote in an analysis. Worse, Microsoft noted that the bug is wormable, so that it could be used to self-replicate across the internal network and affect internal services that may not have been exposed.” – CodeRed 2.0?
  16. FCC’s net neutrality rollback overwhelmed by bogus industry comments, investigation finds
  17. AirTag Successfully Hacked to Show Custom URL in Lost Mode
  18. Cyberattack prompts shutdown of major fuel pipeline in the US
  19. Police caught one of the web’s most dangerous paedophiles. Then everything went dark – “In response, politicians in Europe, the UK, India and US have restarted the same arguments that defined the cryptowars of the 1990s. A few years ago they raised the spectre of terrorism to attack encryption, now the detection of child sexual abuse is being used to make their case. Demands have been made for technical “solutions” to encryption and Facebook has been encouraged to abandon its planned rollout. ” – Cryptowars 2.0
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security