psw713

Paul’s Security Weekly Episode #713 – October 07, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Survey Says: Improve Your Security Posture by Purple Teaming – 06:00 PM-06:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/plextrac for more information!

Announcements

  • Join us October 21 to learn why zero-knowledge encryption matters. If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

Today Dan DeCloss, CEO of PlexTrac, joins the panel to share results from a CyberRisk Alliance survey of 315 security practitioners in the U.S. and Canada. This research, sponsored by PlexTrac, shows a correlation between purple teaming and program maturity, which emphasizes the importance of adversary emulation in today’s security landscape. Tune in to get the scoop on the survey results and MUCH more!

This segment is sponsored by PlexTrac.

Visit https://securityweekly.com/plextrac to learn more about them!

Guest(s)

Dan DeCloss

Dan DeCloss – Founder / CEO & President at PlexTrac

@wh33lhouse

Dan has over 15 years of experience in cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications.

Hosts

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Up & Running With Security Onion – 07:00 PM-07:45 PM

Announcements

  • InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

Description

There are many options to choose from when setting up The Security Onion. The use cases are vast, including a NIDS (Zeek, Suricata), HIDS (Beats, Wazuh, osquery) and standalone instances for a SOC workstation and static analysis. I really like SO as a platform to collect all kinds of data from the network and from your systems (some even use the word XDR).

I am using the open-source version of The Security Onion, on my own hardware and VMs for monitoring the systems in our studio. It’s a mix of Windows, Linux, and Mac. I use this platform for threat hunting and security investigations.

Deployment – First, decide whether or not you are going to run it in the cloud or locally. If you run it locally, decide if you will use VMs, physical hardware, or a combination of the two. Also, decide where to place the sensors and the log collectors and which systems you want to monitor. For me, I have one sensor on a network span port (a physical system) and a VM.

Pay Attention To Requirements – I had to upgrade the storage of my sensor. I’m using a Qotom system and it required a new mSata drive. You will need at least 12GB of RAM, 4 Cores, and 200GB of storage (https://docs.securityonion.net/en/2.3/hardware.html). If you don’t have enough storage SO will not install.

Understand The Modes – Evaluation and Standalone puts everything all on one system, great for testing, but I find this is sorta waste of time. This is a great, free, project for all and you should really just be deploying it. So put your big boy pants on and jump right to a distributed deployment. Distributed deployments have Forwarding Notes, Managers, and Search Nodes. I run one Forwarding node and one Manager + Search Node system. Spend some time with the architecture (https://docs.securityonion.net/en/2.3/architecture.html) first to really understand it as there are a few more options than previous versions.

Installation – You can install SO directly using their ISO image (based on Centos), or directly on Centos or Ubuntu 18.04 (Yes, 18.04). I highly recommend using the SO ISO installer.

Commands – From the command line so-status will give you a breakdown of the running processes. so-allow is a command you will have to run in order to allow your local systems and networks to access the SO processes. Use so-user-add to add new users.

Tools – There are so many things to implement now! I’ll start with the easy ones, like Grafana, which is a nice interface that monitors the health of your SO systems. You also get FleetDM, which allows you to manage osquery. We are installing osquery on all the systems here in the studio to start, very handy to query all of your systems. Kibana is your console for security events. There are even some nice tools built into SO itself, one for alerts and once for hunting.

Hosts

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

3. LANtennas, ESXi & Python, Twitch Leaks, Facebook BGP, & iPhone Is Always On – 08:00 PM-09:30 PM

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Security Weekly Unlocked will be held IN PERSON this December 5-7 at the Hilton Lake Buena Vista!

    Keynotes from Alyssa Miller, John Strand, Lesley Carhart, & Dave Kennedy!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

This week in the Security Weekly News: Brushing that data breach under the rug? Get sued by the US Government!, all your text messages belong to someone else, beware of the Python in your ESXi, Twitch leaks, when LANtennas attack, zero-trust fixes everything, recalled insulin pumps, Apache 0-day, you iPhone is always turned on, Apple pay hacked, & more!

Hosts

JoffThyer

Joff Thyer

@joff_thyer

Security Analyst at Black Hills Information Security

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LeeNeely

Lee Neely

@lelandneely

Senior Cyber Analyst at Lawrence Livermore National Laboratory

  1. CISA Releases New Tool to Help Organizations Guard Against Insider Threats – CISA has produced/released a free self-assessment tool that can be used to gauge a company/agency’s risk posture by answering a series of questions. CISA especially recommends their tool be used by small to medium-sized businesses to identify cybersecurity shortcomings that could devastate their company should a disgruntled employee go rogue.
  2. DOJ Poised to Sue Contractors Who Don’t Report Cyber Breaches – The Deputy Director stated that the DOJ is ready to sue government contractors and any U.S. company who receives U.S. government grant money if they fail to notify the U.S. government of their computer network being breached. They will also be sued if they misrepresent their company’s cybersecurity processes. The DOJ will leverage the “False Claims Act” for their lawsuits.
  3. U.S. to tell critical rail, air companies to report hacks, name cyber chiefs – The Transportation Security Administration will introduce regulations that compel most U.S. railroad and airport industries to do three things: (1) improve their cybersecurity processes; (2) identify a chief cyber official and (3) inform the government when their network has been breached and have a draft cyber recovery plan on-hand to recover from the incident.
  4. Text Message Giant Reveals Five-Year Breach – Telecommunications provider Syniverse, which routes text messages for hundreds of telecom customers, has disclosed it was the target of a five-year data breach that has been ongoing since May 2016 and resulted in the exposure of personally identifiable information (PII) belonging to more than 200 Electronic Data Transfer (EDT) customers.
  5. NSA, CISA share guidelines for securing VPNs as hacking groups keep busy – CyberScoop – Cautioning that foreign government-backed hackers are actively exploiting vulnerabilities in virtual private network devices, the National Security Agency and the Department of Homeland Security’s cyber wing on Tuesday published guidelines for securing VPNs.

    The Guidance: https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF

  6. Unnamed Ransomware gang uses a Python script to encrypt VMware ESXi servers – An unnamed ransomware gang used a custom Python script to target VMware ESXi and encrypt all the virtual machines hosted on the server. According to Sophos researchers, attackers gained access to the targeted network by first logging into a TeamViewer account running on a device on which a domain admin was already logged in, and then leveraged the Advanced IP Scanner to scan the network and identify other potential targets. After identifying potential targets, attackers then used the “Bitvis” SSH client to log onto an ESXi server.
  7. Thousands of Coinbase Users Hit by Phishing Attack — Here’s How to Protect Yourself – Coinbase experienced a breach in the spring of 2021. Nearly six months later, now their customers are being targeted with phishing emails that contain fake embedded URLs to inform the customer that their cryptocurrency account had been locked out and required immediate action. To date, nearly 6000 customers have lost money to this phishing scam, which leveraged flaws in the password recovery, when using SMS, which didn’t fully authenticate the request.
  8. Twitch’s source code and streamer payment figures have been leaked following hack – Hackers have accessed Twitch and leaked a vast amount of company data, including proprietary code, creator payouts and the “entirety of Twitch.tv.” Twitch confirmed the breach in a tweet Wednesday morning, but did not provide further details.

    It doesn’t appear that information like user passwords, addresses and banking information were revealed, but that can’t be ruled out in a future drop. If you have a Twitch account, you should activate two-factor authentication so that bad actors can’t log into your account if your password has been stolen.

  9. More details about the October 4 FaceBook outage – FB Engineering’s report on what happened. In layperson’s terms.
    BGB/DNS/Physical Access fails – oh my!

    During one of these routine maintenance jobs, a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all the connections in our backbone network, effectively disconnecting Facebook data centers globally. Our systems are designed to audit commands like these to prevent mistakes like this, but a bug in that audit tool prevented it from properly stopping the command.

    Our primary and out-of-band network access was down, so we sent engineers onsite to the data centers to have them debug the issue and restart the systems. But this took time, because these facilities are designed with high levels of physical and system security in mind. They’re hard to get into, and once you’re inside, the hardware and routers are designed to be difficult to modify even when you have physical access to them.

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Creating Wireless Signals with Ethernet Cable to Steal Data from Air-Gapped Systems – So much for air-gapped: “Dubbed “LANtenna Attack,” the novel technique enables malicious code in air-gapped computers to amass sensitive data and then encode it over radio waves emanating from Ethernet cables just as if they are antennas. The transmitted signals can then be intercepted by a nearby software-defined radio (SDR) receiver wirelessly, the data decoded, and sent to an attacker who is in an adjacent room.”
  2. The Rising Costs of Data Breaches – Zero-Trust fixes this? – “Significantly, the report found that data breach costs for companies with mature Zero Trust deployments were $1.7 million lower than costs for companies that had not deployed any Zero Trust solutions ($3.3 million vs. $5 million). These statistics, of course, do not – cannot — account for the greatest advantage of implementing Zero Trust security: the fact that organizations that have are much less likely to fall victim to a data breach in the first place.”
  3. PoC exploit for 2 flaws in Dahua cameras leaked online – Looks like setting certain values in the request simply bypasses authentication (https://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.html).
  4. Medtronic recalls insulin pump controllers over life-threatening flaws – “Using specialized equipment, an unauthorized person could instruct the pump to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis, even death,” the FDA noted.” “Furthermore, the attacker should be close to the victim, and the victim should ignore the pump’s alerts indicating that a remote bolus is being delivered. ” – Recalled a medical device due to vulnerabilities, I believe this is progress my friends.
  5. Apache fixes actively exploited zero-day vulnerability, patch now – “The actively exploited zero-day vulnerability is tracked as CVE-2021-41773 and it enables actors to map URLs to files outside the expected document root by launching a path traversal attack. Path traversal attacks involve sending requests to access backend or sensitive server directories that should be out of reach. Normally, these requests are blocked, but in this case, the filters are bypassed by using encoded characters (ASCII) for the URLs.” – This could be useful for reading configuration files that contain credentials and/or API keys…
  6. Who Is Hunting For Your IPTV Set-Top Box? – “The main purpose of these requests is likely not to compromise the device but to steal content or use the device remotely, for example, to find devices with subscriptions that can stream content from other countries? “
  7. NSO Group’s Pegasus malware used to spy on lawyers – If you’ve ever developed a cool tool or exploit, then shared it with a friend, then find out they did something awful with it, that’s how NSO should feel. “Hey, that exploit you gave me works great, I just hacked the pentagon!”. Oh. Shit.
  8. Researchers discover ransomware that encrypts virtual machines hosted on an ESXi hypervisor – Help Net Security – Python FTW: ““Python is a coding language not commonly used for ransomware. However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems. ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple virtual machines at once, where each of the virtual machines could be running business-critical applications or services. Attacks on hypervisors can be both fast and highly disruptive. Ransomware operators including DarkSide and REvil have targeted ESXi servers in attacks.””
  9. Company That Routes Billions of Text Messages Quietly Says It Was Hacked – What a great quote! Anyone know this guy? “”Seems like a state-sponsored wet dream,” Adrian Sanabria, a cybersecurity expert and founder of Security Weekly Labs, told Motherboard in an online chat. “Can’t imagine [Syniverse] being a target for anyone else at that scale.” “
  10. Always-on Processor magic: How Find My works while iPhone is powered off – “The scariest part might be that the maybe the AOP and definitely NFC and Bluetooth LPM enable a new vector of hardware persistence. Broadcom Bluetooth firmware is not signed. Thus, an attacker with control over an iPhone can craft and install Bluetooth LPM malware. Since LPM is a hardware-based feature, there is no way to disable LPM on a potentially hacked device.” – Great article.
  11. Ransomware gangs are complaining that other crooks are stealing their ransoms – “One forum user claimed to have had suspicions of REvil’s tactics, and said their own plans to extort $7 million from a victim was abruptly ended. They believe that one of the REvil authors took over the negotiations using the backdoor and made off with the money.” – A great example of “There is no honor among thieves”.
  12. Apple Pay with Visa Hacked to Make Payments via Locked iPhones – “The attackers would need to set up a terminal that emulates a legitimate ticket barrier for transit. This can be done using a cheap, commercially available piece of radio equipment, researchers said. This tricks the iPhone into believing it’s connecting to a legitimate Express Transit option, and so, therefore, it doesn’t need to be unlocked. “If a non-standard sequence of bytes (Magic Bytes) precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this [to be] a transaction with a transport EMV reader,” the team explained.”
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element