psw706

Paul’s Security Weekly Episode #706 – August 12, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. OSINT & Social Engineering – 06:00 PM-06:45 PM

Announcements

Description

Joe will discuss his upcoming Book, “Practical Social Engineering” in addition to OSINT. He is primarily passionate about OSINT and adjacent forms of Intelligence, but will need to discuss some social engineering (conducting it or defenses). He will also mention the Trace Labs OSINT Search Party competitions (he won his 2nd one last weekend at DEFCON).

Segment Resources:
https://www.theosintion.com
https://wiki.theosintion.com
http://discord.theosintion.com

Guest(s)

Joe Gray

Joe Gray – Senior Investigator at SpyCloud & The OSINTion

@C_3PJoe

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior OSINT Specialist at Qomplx, Inc. and previously maintained his own blog and podcast called Advanced Persistent Security. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. As a member of the Password Inspection Agency, Joe has placed 2nd in the HackFest Quebec Missing Persons CTF powered by TraceLabs, 2nd in the BSides Atlanta OSINT CTF, and 3rd Place in the 2018 & 2019 NOLACon OSINT CTFs. Joe has independently placed 2nd in the HackFest Quebec SECTF, 4th Place in the DerbyCon OSINT CTF, and 2nd Place in Hacker Jeopardy at Hack in Paris. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, Forbes, and Dark Reading.

Hosts

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

2. Offensive Operations With Mythic – 07:00 PM-07:45 PM

Announcements

  • SC Media debuts its all-new SC digital experience, fully integrated with Security Weekly podcast content and more. The new site increases the scope and scale of original content resources from editorial staff, contributors, and the far-reaching CyberRisk Alliance network. Visit www.scmagazine.com to check out the new look!

Description

Mythic is an open-source, multi-platform framework for conducting red team engagements. This talk will cover the automated deployment of a Mythic server, developing new “wrappers” to extend the framework, and modifying public payload types to evade signature-based detections.

Guest(s)

Kyle Avery

Kyle Avery – Penetration Tester at Black Hills Information Security

@kyleavery_

Kyle Avery has been tinkering with computers for his entire life. Growing up, he and his dad self-hosted game servers and ran their own websites. He formally studied system administration and compliance at university but spent his free time learning offensive security techniques. Kyle’s hobbies include Hack The Box, homelabbing, and catching the latest drama on infosec Twitter. In 2020 he got his dream job at BHIS, working alongside talented professionals to help companies better understand and secure their networks.

Hosts

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security

3. Cyber-Symposiums, Apple Backdoor, Crypto Theft, & “Quadruple Extortion” – 08:00 PM-09:30 PM

Announcements

  • CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    We are excited to announce our first round of speakers: Lesley Carhart, David Kennedy, Alyssa Miller, O’Shea Bowens, Marina Ciavatta, Patrick Coble, Chris Eng, Eric Escobar, Nick Leghorn, Michael Schladt, Kevin Johnson, and Justin Kohler!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

This week in the Security News: Accenture gets Lockbit, $600 million in cryptocurrency is stolen, and they’ve started returning it, Lee and Jeff’s data is leaked (among other senior citizens), authentication bypass via path traversal, downgrade attacks, Apple’s backdoor, super duper secure mode, re-defining end-to-end encryption and how that doesn’t work out, pen testers file suit against Dallas County Sherriff’s department, Fingerprinting Windows, double secret quadruple extortion, & more!

Hosts

LarryPesce

Larry Pesce

@haxorthematrix

Principal Managing Consultant and Director of Research & Development at InGuardians

  1. Catalin Cimpanu on Twitter – A security researcher (@HarioMenkel) has released today a tool named CobaltSpam that can flood Cobalt Strike servers with fake beacons and corrupt their internal databases of infected systems.
  2. 1M Stolen Credit Cards Hit Dark Web for Free
  3. Rob??? Graham @ Sioux Falls cyber symposium on Twitter – A good thread on the outcomes of the MyPillow guy CyberSymposium. Not a political talk.
  4. vx-underground on Twitter – Accenture got ransomwared…?
  5. Plugins 2500/2501 and 16800/16801 are deprecated – Hashcat, why you gotta mess with a good thing?
LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. Over $600 million reportedly stolen in cryptocurrency hack – Poly Network has disclosed that hackers managed to steal more than $600 million USD in Binance Chain, Ethereum, and Polygon cryptocurrency assets and transfer it to attacker-controlled wallets in what is being dubbed as one of the largest DeFi hacks to date.
  2. Bulletin: The Importance of Properly Scoping Cloud Environments – Guidance from CSA/PCI Security Standards Council on requirements and processes to assess cloud based payment processing systems. What’s new is the tools to help the assessment.
  3. Millions of Senior Citizens’ Personal Data Exposed by Misconfiguration – Millions of senior citizens in North America have had their personal information compromised following a breach at senior care review website SeniorAdvisor, containing millions of files labeled “leads” and 182GB of personally identifiable information (PII) belonging some three million of its users.
  4. Microsoft Exchange servers scanned for ProxyShell vulnerability, Patch Now – Attackers have been spotted leveraging three chained vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) dubbed “ProxyShell” that, when chained together, can be remotely exploited via the Microsoft Exchange “Client Access Service” (CAS) running in IIS on port 443. According to reports, the ProxyShell vulnerabilities are capable of performing unauthenticated, remote code execution (RCE) against Microsoft Exchange servers.
  5. Vulnerability Affecting Routers From Many Vendors Exploited Days After Disclosure – Cybercriminals quickly started exploiting a vulnerability that affects routers and modems from many vendors that use the same underlying firmware. CVE-2021-20090 associated with Arcadyan firmware found in 19 manufacturer’s products – nclude ADB, ASMAX, ASUS, Beeline, BT, Buffalo, Deutsche Telecom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom Argentina, Telmex, Telstra, Telus, Verizon, and Vodafone.
  6. FlyTrap Android Malware Used to Compromise Facebook Accounts – Zimperium has revealed new Android malware said to have compromised the Facebook accounts of more than 10,000 people across 144 countries since March. The company dubbed this malware FlyTrap and said that until recently it was listed on the official Google Play Store.
  7. Black Hat USA: Downgrade attack against Let’s Encrypt lowers the bar for printing fraudulent SSL certificates – Thanks Gus for finding this! The downgrade attacks act to undermine a system with “multiple vantage points to multiple nameservers” by reducing it to “multiple vantage points to a single attacker-selected nameserver”. The system is tricked into using a specific nameserver by introducing high latency into connections to other validation nodes.

    In controlled tests, the researchers found that attackers were able to launch attacks against one in four (24.53%) of domains.

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Chaos Malware Walks Line Between Ransomware and Wiper – Nasty: ” “Instead of encrypting files (which could then be decrypted after the target paid the ransom), it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored, providing victims no incentive to pay the ransom.” “One of the more interesting functions of Chaos version 1.0 was its worming function, which allowed it to spread to all drives found on an affected system,” de Jesus wrote. “This could permit the malware to jump onto removable drives and escape from air-gapped systems.””
  2. Hacker Exploiting Authentication Bypass Bug On Millions Of Routers – Yikes: “For a device in which http:///index.htm requires authentication, an attacker could access index.htm using the following paths: http:///images/..%2findex.htm or http:///js/..%2findex.htm or http:///css/..%2findex.htm” Great article on the details: https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
  3. Apple’s Plan to “Think Different” About Encryption Opens a Backdoor to Your Private Life – Interesting take on this and how it could be abused from a privacy perspective: “This means that if—for instance—a minor using an iPhone without these features turned on sends a photo to another minor who does have the features enabled, they do not receive a notification that iMessage considers their image to be “explicit” or that the recipient’s parent will be notified. The recipient’s parents will be informed of the content without the sender consenting to their involvement. Additionally, once sent or received, the “sexually explicit image” cannot be deleted from the under-13 user’s device.”
  4. Microsoft announces new ‘Super Duper Secure Mode’ for Edge – “Encouraged by these findings, Norman said the Edge team is now working on Super Duper Secure Mode, an Edge configuration where they disable JIT and enable three other security features such as Controlflow-Enforcement Technology (CET) and Arbitrary Code Guard (ACG)—two features that would normally clash with V8’s JIT implementation. As Norman explained, Super Duper Secure Mode is currently classified as an experiment, and there are no plans set in stone to ship it to users just yet.”
  5. INFRA:HALT security bugs impact critical industrial control devices – We’ve seen this before, very bad: “They impact the DNS client and the HTTP server components of the stack, allowing a remote attacker to execute code on the vulnerable device to take full control over it. To trigger CVE-2020-25928, an attacker would need to send a crafted DNS packet as a response to a DNS query from the vulnerable device, Forescout and JFrog researchers explain in a joint technical report published earlier today.”
  6. Zoom to pay $85M for lying about encryption and sending data to Facebook and Google – Trying to re-define end-to-end encryption: “The connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between a web browser and a website is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. In a Zoom meeting utilizing this encryption technology, the video and audio content will stay private from anyone spying on Wi-Fi, but will not stay private from the company or, presumably, anyone with whom the company shares its access voluntarily, by compulsion of law (e.g., at the request of law enforcement), or involuntarily (e.g., a hacker who can infiltrate the company’s systems). With true E2E encryption, the encryption keys are generated by the client (customer) devices, and only the participants in the meeting have the ability to decrypt it.” as “the encryption keys for each meeting are generated by Zoom’s servers, not by the client devices.”
  7. Credit card-stealing malware found in official Python repository – I really want to know if a library is accessing my file system and/or communicating with IP addresses on the Internet… This one steals your Discord auth tokens and credit cards stored by your browser…
  8. Men File Lawsuit Against Dallas County Sheriff – “Gary DeMercurio and Justin Wynn have filed a civil lawsuit against Dallas County and Sheriff Chad Leonard from an incident that occurred in September 2019 when the two men broke into the Dallas County Courthouse claiming they were hired to do so. The two men worked for cybersecurity advisor Coalfire, which is headquartered in Colorado. “
  9. Fingerprinting Windows versions, AV, wireless cards over the network—all without authentication – Using Windows DCE/RPC (TCP port 135) HD and team was able to more accurately fingerprint the Windows OS type and version, in addition to determining if the host has a Wifi adapter and even what type of AV software is running. Amazing research!
  10. Crypto-mining botnet modifies CPU configurations to increase its mining power – We need more power captain: “In a report published last week, Uptycs researchers said they spotted a crypto-mining botnet in June 2021 that was breaching Linux servers, downloading the Linux MSR driver, and then disabling hardware prefetching before installing a version of XMRig, a common app used for cryptocurrency mining by both legitimate users and malware gangs. Uptycs believes the attacker got the idea to disable hardware prefetching after reading the XMRig documentation, where it is claimed that XMRig can gain a 15% speed boost if the feature is disabled.”
  11. A Botnet is Attacking Synology NAS Devices: Here’s How to Secure Yours – Why do you need your NAS device on the Internet!?!?
  12. Glowworm-Attack – Wow: “In this paper, we identify a new class of optical TEMPEST attacks: recovering sound by analyzing optical emanations from a device’s power indicator LED. We analyze the response of the power indicator LED of various devices to sound and show that there is an optical correlation between the sound that is played by connected speakers and the intensity of their power indicator LED due to the facts that: (1) the power indicator LED of various devices is connected directly to the power line, (2) the intensity of a device’s power indicator LED is correlative to the power consumption, and (3) many devices lack a dedicated means of countering this phenomenon.”
  13. Ransomware Payments Explode Amid ‘Quadruple Extortion’ – “1) Encryption: Victims pay to regain access to scrambled data and compromised computer systems that stop working because key files are encrypted. 2) Data Theft: Hackers release sensitive information if a ransom is not paid. 3) DoS: Ransomware gangs launch DoS attacks that shut down a victim’s public websites. 4) Harassment: Cybercriminals contact customers, business partners, employees and media to tell them the organization was hacked.”
  14. Accenture claims to fight off LockBit ransomware gang with backup – “Cybercrime intelligence firm Hudson Rock revealed that nearly 2,500 computers of Accenture partners and employees were compromised. Another research firm Cyble tweeted that the attackers stole 6TB of data and have demanded a ransom of $50 million.”
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc and Founder & CEO of Dark Element at Trimarc Security