psw712

Paul’s Security Weekly Episode #712 – September 30, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Defense Strategies to Combat Sophisticated Ransomware – 06:00 PM-06:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/ for more information!

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

Description

To defend themselves, companies need to detect ransomware attacks early, gather the intelligence to understand the attack, and prevent the attacks from occurring in the future. Qualys’ Mehul Revankar will discuss ransomware trends, defensive maneuvers and discuss the inspiration and research behind Qualys’ new ransomware exposure dashboard that provides companies with personalized plan to remediate the vulnerabilities in their environment.

Segment Resources:
www.qualys.com/vmdr

This segment is sponsored by Qualys.

Visit https://securityweekly.com/ to learn more about them!

Guest(s)

Mehul Revankar

Mehul Revankar – VP Product Management and Engineering, VMDR at Qualys

@MehulRevankar

Mehul is a cybersecurity professional with over 15 years of experience in Vulnerability Management, Policy Compliance and Security Operations. He leads the product management and engineering functions for VMDR (Vulnerability Management, Detection and Response) at Qualys. Before joining Qualys, Mehul led development of vulnerability and patch management products at SaltStack, and prior to that he led multiple research teams at Tenable.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Pickpocketing Apple Pay, Mandatory Breach Reporting, Huawei Fears, & Cyber Criminals – 08:00 PM-09:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    Keynotes from Alyssa Miller, John Strand, Lesley Carhart, & Dave Kennedy!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

In the Security News, Microsoft adds automated mitigations for Exchange servers, Senior US cyber officials support mandatory breach reporting, 2021 has broken the record for 0days, but maybe that’s a good thing? Speaking of which, Apple patches some 0days, Lithuania warns against using Huawei and Xiaomi phones, the FCC pays companies to ditch Huawei and ZTE gear, the latest on Cybercrime, UK researchers find a way to pickpocket Apple Pay, and more!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

  1. MSFTLOL: Microsoft will disable Basic Auth in Exchange Online in October 2022 – From Sergiu Gatlan at BleepingComputer: A year from tomorrow, basic auth will _start_ to be permanently disabled. Except SMTP, which can be turned back on after that. This is *just* for Exchange Online, doesn’t affect on-prem Exchange.

    “While Microsoft did not provide the exact reason why they decided to make this announcement this week, the cause is likely a Guardicore report (https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-autodiscover-bugs-leak-100k-windows-credentials/) that revealed how hundreds of thousands of Windows domain credentials were leaked in plain text by misconfigured email clients using basic auth.”

  2. MSFTLOL: Microsoft adds novel feature to Exchange servers to allow it to deploy emergency temporary fixes – By Catalin Cimpanu for The Record: As we’re having the conversation, wondering when security and IT teams might get comfortable with pushing automated responses and remediation in place, Microsoft goes all Leroy Jenkins on us! Basically, if you’re running on-prem Exchange, you’re going to get the “Exchange On-Premises Mitigation Tool” installed and enabled by default. When there are critical vulns, mitigations for exploit attempts will get automatically pushed to this tool! It’s basically like a custom WAF/IPS in-line with your Exchange server.
  3. MSFTLOL: New Azure Active Directory password brute-forcing flaw has no fix – From Ax Sharma at Ars Technica: Apparently, using Azure AD APIs, it’s possible to brute force accounts with single factors and an Azure AD password, without any limitations or indication that it’s occurring. It’s because these APIs return different results if the password is incorrect. Conditional access and MFA don’t mitigate the attacks, because these are secondary stages that don’t occur unless primary authentication is first successful.
  4. BLUETEAM: 70% of companies say migrating to the cloud top priority – By Steve Zurier for SC Media: Well, this _should_ make security easier, but we all know these folks will leave stuff running in the traditional data center, they won’t get cloud security right on the first pass, and they’ll double, if not triple their attack surface. [shrug]
  5. TRENDS: Senior cyber officials back new, mandatory reporting of breaches – From Martin Matishak at The Record:
    – “We absolutely agree it’s long past time to get cyber incident reporting legislation out there,” Cybersecurity and Infrastructure Security Agency chief Jen Easterly said during a Senate Homeland Security Committee hearing.
    – National Cyber Director Chris Inglis “wholeheartedly” backed Easterly’s comments, adding such information would be “profoundly useful” to crafting digital strategies, improving responses to intrusions and determining how best to spend federal dollars to prevent future attacks.
  6. TRENDS: 2021 has broken the record for zero-day hacking attacks – By Patrick Howell O’Neill for the MIT Technology Review: TL;DR is that 0days are up because we’re finding and documenting more than ever. There are better incentives for finding and reporting them, so that could be a contributing factor. They’re also becoming more valuable and generally, the skill factor necessary for pulling off 0days is going up.
  7. ZERODAYS: Apple patches one zero-day, fixes two other bugs – I absolutely love this quote: John Bambenek, principal threat hunter at Netenrich, added that when a hacker wants to steal money or information, they will break into a computer. However, when they want to do “really bad things” or commit human rights violations, hackers want to access a mobile phone.
  8. ZERODAYS: Researcher discloses iPhone lock screen bypass on iOS 15 launch day – From Catalin Cimpanu at The Record: TL;DR Apple is pissing off even more researchers, their lock screen bypass mitigations didn’t work, they didn’t bother to check with the researcher that reported the bug, and they underpaid him.
  9. CHINA: Lithuanian government warns about secret censorship features in Xiaomi phones – From Catalin Cimpanu at The Record: First off, the Lithuanian government does audits on smartphones and publicly releases the results (https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysis_env3.pdf) – how cool is that? Aaaaand they found some stuff.
    – The OnePlus 8T 5G was cool (and I believe is actively available in the US from carriers).
    – The Huawei phone (which no longer runs mainstream Android and isn’t allowed to use Google services) will push you to alternative app stores if an app you’re looking for isn’t present. These alternative app stores are full of malicious copies of legitimate apps (giant surprise).
    – The Xitami is the real fun one. From the article: officials said they uncovered a secret censorship module that could detect and censor 449 keywords or groups of keywords in both Chinese and Latin characters related to sensitive topics inside China, such as “Free Tibet,” “Voice of America,” “Democratic Movement,” “Longing Taiwan Independence,” and others. It also sends off secret encrypted SMS messages. No way to tell what data it contains.
  10. CHINA: FCC details $1.9 billion program to rip out Huawei and ZTE gear in the US – By Chris Duckett for ZDNet: For Huawei and ZTE equipment purchased between April 17th, 2018 and June 30th, 2020 are eligible to seek reimbursement for a replacement out of this $1.9bn fund.
  11. CYBERCRIME: Around the world with the NSA’s cyber chief – By Martin Matishak for The Record: The Record has quickly become my new favorite source for security articles. I interviewed the founding editor yesterday and have been floored by the quality and quantity of stories they’re putting out. Tyler Robinson’s TL;DR on this story:

    – Russia is still Russia – focused on pulling as much information as quietly as possible while positioning assets to disrupt if needed.
    – China is extremely active – more so than any other country the US sees. The US has often seen their efforts as clumsy, but there are some elite groups mixed in with the noise.
    – Iran is focused on regional related systems and topics. They don’t seem to care about what they do or how they do it.
    – North Korea is focused primarily on capturing financial resources, primarily cryptocurrency, and recently vaccine maker IP.

  12. CYBERCRIME: An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil – – Targeting companies: at least $100m in revenue. Off-limits (supposedly): healthcare, critical infrastructure, oil and gas, defense, non-profit and govt orgs. Looking to buy existing access to companies, doesn’t want to mess around with hacking VPNs.
    – MO: attacks go under the radar – if the victims pay, they don’t make any of it public.
    – Software development: all-new, modern code, borrowing ideas (not code) from other ransomware where it makes sense.
    – Careful not to make the same mistakes as others.
    – Suggests DOJ was able to recover bitcoins from the Colonial Pipeline ransom because partners/affiliates transferred BTC to easily seized web wallets.
    – Hiring: looking for pen testers (pays so much more than pen testing, this doesn’t seem difficult)
  13. CYBERCRIME: ‘Yes, we are breaking the law:’ An interview with the operator of a marketplace for stolen data – Market for selling data, they don’t do any hacking. Goal is to sell victims’ data back to them. Will sell to others if victims aren’t willing to buy. If no one buys it, they release it publicly 100% of the time. They refer to it as an infosec ‘audit’. They mention media firms and US government orgs as “partners”.

    Why is the US so targeted? Not as much Europe and Asia? “In the US, people like to insure, but not to defend.”

  14. CYBERCRIME: ‘I scrounged through the trash heaps… now I’m a millionaire:’ An interview with REvil’s Unknown – This interview was done in March 2021 – before REvil was in the news for hitting Quanta, JBS, Kaseya, and others. The individual being interviewed seems to have made around half a billion, personally???
    – Actively concerned with competition, innovation, and brand reputation
    – Patient, willing to take the time to do things right (except for choosing targets, apparently…)
    – They bought the GandCrab code
    – Avoid CIS, including Georgia and Ukraine; also avoid poorer companies less likely to pay
    – As many as 60 affiliates at one point in time
    – 30% of crew that leaves, leaves because they’ve made enough money for a lifetime… but most eventually come back
    – affiliates claim to have access to ballistic missile launch systems, a US Navy ship, nuclear power plant, weapons factory
    – One affiliate retired after making $50m, retired, came back 4 months later
    – try to avoid politically hot targets, nothing good comes of it
    – especially target cyber insurance firms – they hit all the clients, then the insurer themselves
  15. CYBERCRIME: Group-IB CEO Ilya Sachkov charged with treason in Russia – By Alexander Culafi for TechTarget: The founder and CEO of Group-IB, a Russian cybersecurity company known for its threat hunting and cybercrime research, was arrested Tuesday under treason charges. Sachkov is accused of “transferring intelligence data to foreign special services.”
  16. MALWARE: Microsoft details AD FS malware from SolarWinds actors
  17. SQUIRREL: Keep Technologies wants to turn a cup holder into a security guard for your car – TechCrunch – By Kristen Korosec for TechCrunch: “Moeller describes this as 100 screaming babies”
  18. HACKS: Researchers find Apple Pay, Visa contactless hack – BBC News – From the BBC: This research, led by Dr Andreea Radu, showed that it was possible to trick Apple Pay into sending money to an unauthorized payment reader, without unlocking the phone. Apple and VISA tried to downplay it, calling it impractical or saying it could only happen in a lab. Based on the research, this is flat wrong and is a prime opportunity for criminals to take advantage of using skimmers!
    – It only requires Apple Pay and a VISA card in “transport mode”
    – ticket gate readers can send “magic bytes” to bypass Apple Pay lock screens
    – surprise: anyone can capture and replay these magic bytes to ‘pickpocket’ funds from Apple Pay if they’re in physical proximity to the phone; all you need is an Android phone and a Proxmark RDV4
    – though transport mode is designed for easy payment for public transit, there doesn’t appear to be a reasonable ceiling on the transaction amount
    – it’s also not restricted to transit merchant codes (basically, you could use a coffee shop merchant code for the transaction)
    – Apple said VISA should fix it by performing additional fraud prevention checks
    – VISA said Apple should fix it since Samsung Pay wasn’t affected by the issue
    – Either VISA or Apple could fix it alone, but once again, the consumer is the one that loses here when neither do
    – paper and source code: https://practical_emv.gitlab.io/
JeffMan

Jeff Man

@MrJeffMan

#HackingisNotaCrime Advocate, Sr. InfoSec Consultant at Online Business Systems

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Debunking 5 cybersecurity posture myths
  2. Malware Campaign Hijacking Windows UEFI Bootloader To Infect Victims. – CyberWorkx
  3. ESET’s latest Threat Report warns of RDP attack explosion
  4. PoC exploit released for Azure AD brute-force bug—here’s what to do
  5. A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit
  6. fail2ban – Remote Code Execution – research.securitum.com
  7. Electronic Frontier Foundation will deprecate HTTPS Everywhere plugin
  8. Russia arrests cybersecurity expert on treason charge
  9. Cisco Hyperflex: How We Got RCE Through Login Form and Other Findings
  10. CISA releases tool to help orgs fend off insider threat risks
  11. Securely checking if a password is compromised in Python
  12. 9 Cyber Security Domains
  13. Why is Cybersecurity Important in Today’s Society?
  14. Thousands of University Wi-Fi Networks Expose Log-In Credentials
  15. Let’s Encrypt R3 Intermediate Certificate Expiration (30 September 2021) – DNSimple Blog
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element