psw743

Paul’s Security Weekly Episode #743 – June 01, 2022

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Understanding WebApp Client-Side Security With Source Defense – 06:00 PM-06:45 PM

Sponsored By

sponsor
Visit https://securityweekly.com/sourcedefense for more information!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Don’t forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Description

This segment will be an opportunity to discuss web application client-side security with subject matter expert Matt McGuirk from Source Defense. Modern web applications have a massive and misunderstood attack surface that exists within the webpages they serve.

Potential discussion topics:

– A visual overview of the problem
– A simulated client-side attack
– How to evaluate client-side risk on a given web site
– What technologies are available to defend against client-side attacks
– Historical case studies of landmark attacks

Segment Resources:
“Magecart 101” – a courseware-style overview of the problem for security practioners: https://www.youtube.com/watch?v=T4al8idAE_M

A quick five minute explainer on the problem and Source Defense’s solution: https://www.youtube.com/watch?v=f8MO45EQcKY

Source Defense’s brand new (as of 5/25/22) “State of the Industry” report for client-side security: https://info.sourcedefense.com/third-party-digital-supply-chain-report-white-paper

This segment is sponsored by Source Defense. Visit https://securityweekly.com/sourcedefense to learn more about them!

Guest(s)

Matt McGuirk

Matt McGuirk – Solution Architect at Source Defense

Matt McGuirk is an expert in JavaScript, web technologies, and both client-side risk and client-side attacks. He has over 15 years of experience in web application development, website administration, and cybersecurity. Additionally, he has provided consultation and analysis to Fortune 50 companies on how best to secure their customer-facing web properties and business critical web applications. Matt lives in the American Northeast with his wife and two dogs.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Director of Product Management at Tenchi Security

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Charitable Ransomware, Year of Linux Malware, Follina MSDT, Twitter Fines, & Bounties – 07:00 PM-08:45 PM

Announcements

  • Security Weekly listeners, save $100 on your RSA Conference 2022 Full Conference Pass! RSA Conference will be live in San Francisco June 6th-9th, 2022. Security Weekly will be there in full force, delivering real-time, live coverage and interviewing some of the event’s top speakers and sponsors. To register using our discount code, please visit https://securityweekly.com/rsac2022 and use the code 52UCYBER. We hope to see you there!

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Description

This week in the Security News: Analyzing chat logs with Python, consumer reports for IoT, hypothetically BS, the year of the Linux desktop and the year of Linux malware are the same, do you trust Google to tell you open-source software is secure?, Twitter fines, WSL attack vector, Follina, UK Government still won’t pay a bounty, and ransomware that makes you a better person!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Director of Product Management at Tenchi Security

JoshMarpet

Josh Marpet

@quadling

Executive Director at RM-ISAO

LeeNeely

Lee Neely

@lelandneely

Information Assurance APL at Lawrence Livermore National Laboratory

  1. Karakurt Data Extortion Group – Karakurt actors steal data and threaten to auction it off or release it to the public unless they receive payment of the demanded ransom.

    CISA, the FBI, Treasury, and FinCEN encourage organizations to review Karakurt Data Extortion Group to learn about Karakurt’s tactics, techniques, and procedures and to apply the recommended mitigations. https://www.cisa.gov/uscert/ncas/alerts/aa22-152a

  2. Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird – Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these Vulnerabilities to take control of an affected systems.
  3. Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability – Microsoft Security Response Center – Work around – disable MS-DT
    Run Command Prompt as Administrator.
    Backup Registry key “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
    Delete the Registry key “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”
  4. Microsoft Releases Workaround Guidance for MSDT “Follina” Vulnerability – Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows.
  5. New Follina Zero-Day in Microsoft Office Puts Businesses at Risk – Researchers say they uncovered a new zero-day vulnerability, which has been dubbed “Follina” by security researcher Kevin Beaumont, The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” Uses bash on the Mac…
  6. Follina — a Microsoft Office code execution vulnerability – Kevin Beaumont’s write-up of Follina.
PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Using Python to unearth a goldmine of threat intelligence from leaked chat logs – Microsoft Security Blog
  2. Consumer Reports Launches IoT Cybersecurity ‘Nutrition Label’ – The burning question here is, will consumers care?
  3. Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack
  4. Researchers Devise Attack Using IoT and IT to Deliver Ransomware Against OT – This is a good hypothetical attack, however, barely mentioning the firmware aspect is disappointing. Also, in their example, there is a completely flat network, from IoT camera, to a workstation, to AD DC to another PC which then goes to the OT network, which is not, and should not, be common. I know it exists, but less frequently?
  5. Linux malware is on the rise—6 types of attacks to look for – Some pretty good FUD in here! The evidence to support the rise in Linux malware is weak and does not take into account the increase or decrease in Linux hosts, define what represents a Linux machine, account for actual new malware or just variants, etc… The 6 types of attacks to look for are not really compelling, the end goal will be achieved regardless of OS. There is some mention of Linux-based firmware, but not a whole lot of meat, and little on defense.
  6. Malware targeting Linux is becoming more present
  7. ChromeLoader Malware Hijacks Browsers With ISO Files – Still curious why they chose ISO files: “He points out that the use of an ISO file to carry the script, which then drops a malicious extension, is not a new technique, but it remains effective because ISOs are still commonly used in business settings. While this campaign is relying on a ruse of pirated software, ISOs are also important in network and system management and are used for installing packages on servers and containers. Linux is installed via ISO, as are some Windows upgrades.”
  8. Google’s open-source security move may be pointless. In a perfect world, it should be. – This article could have had a point, but instead it just rambled and wasted an opportunity with Chris: “But it’s not that simple and it never is. Wysopal argues that many enterprises simply do not check what they should. If that’s true — and I sadly concede it likely is— then Google Assured is an improvement over what we had last month. In other words, if you’re already cutting too many corners and plan to continue doing so, Google’s move can be a good thing. If you’re strict about code-checking, it’s irrelevant.” – I believe Google does a good job of helping secure OSS, so why not incorporate that into your security process?
  9. Twitter pays $150M fine for using two-factor login details to target ads – As they should: “Twitter has agreed to pay a $150 million penalty for targeting ads at users with phone numbers and email addresses collected from those users when they enabled two-factor authentication. ” – Facebook also got in trouble for this in 2019 and had to pay $5 billion (https://www.ftc.gov/news-events/news/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions-facebook), Twitter should have learned from Facebook’s mistake.
  10. Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild
  11. VMware Authentication Bypass Vulnerability (CVE-2022-22972) Technical Deep Dive – Interesting exploit, manipulate HTTP Header values and returned from the server is a valid auth cookie! Nice: https://github.com/horizon3ai/CVE-2022-22972/blob/main/CVE-2022-22972.py Very nice…
  12. New Windows Subsystem for Linux malware steals browser auth cookies – I wonder how long it will take endpoint security to catch on to this one: “Additional functions in this variant include taking screenshots and grabbing user and system information (username, IP address, OS version), which helps the attacker determine what malware or utilities they can use in the next phase of the compromise. When Black Lotus Labs analyzed the sample, only two antivirus engines out of 57 on Virus Total flagged it as malicious, the researchers noted.” – And if you have endpoint security, do you install the Linux version in WSL or does the Windows version also come with support for WSL, or is anyone protecting WSL at this point?
  13. Rapid Response: Microsoft Office RCE – “Follina” MSDT Attack – Great details here, using MSDT (Microsoft Support Diagnostic Tool) attackers, through a Word doc, load a file from a URL. Neat trick! No patch, but a workaround is available.
  14. GoodWill ransomware forces victims to donate to the poor and provides financial assistance to patients in need – CloudSEK – To “pay” this ransom you will have to: “1: Donate new clothes to the homeless, record the action, and post it on social media. 2: Take five less fortunate children to Dominos, Pizza Hut or KFC for a treat, take pictures and videos, and post them on social media. 3: Provide financial assistance to anyone who needs urgent medical attention but cannot afford it, at a nearby hospital, record audio, and share it with the operators.” – Curious if there are healthier eating options, like could you take them to Sushi?
  15. UK government sits out bug bounty boom but welcomes vulnerability disclosure – I believe this is a mistake: “We currently don’t pay bug bounties, and the reason for that is that we just don’t seem to need to – people are more than happy to come and tell government we’ve screwed up.”
  16. Omnipotent BMCs from Quanta remain vulnerable to critical Pantsdown threat – Like, when everyone else patches stuff you should too: “Eclypsium’s accompanying video shows an attacker gaining access to the BMC after exploiting the vulnerability to modify its web server. The attacker then executes a publicly available tool that uses Pantsdown to read and write to the BMC firmware. The tool allows the attacker to supply the BMC with code that opens a reverse web shell whenever a legitimate administrator refreshes a webpage or connects to the server. The next time the admin tries to take either action, it will fail with a connection error. Behind the scenes, however, and unbeknownst to the admin, the attacker’s reverse shell opens. From here on, the attacker has full control of the BMC and can do anything with it that a legitimate admin can, including establishing continued access or even permanently bricking the server.”
TylerRobinson

Tyler Robinson

@tyler_robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element