December 10, 2019 – HNN #245



This week, How Panasonic is using internet honeypots to improve IoT device security, A new Windows 10 ransomware threat?, ‘Hackable’ karaoke and walkie talkie toys found by Which?, Linux Bug Opens Most VPNs to Hijacking, New Office 365 Feature Provides Detailed Information on Email Attack Campaigns, and Google Confirms Critical Android 8, 9 And 10 Permanent Denial Of Service Threat! In the expert commentary, we welcome Tyler Robinson, Managing Director of Network Operations at Nisos, Inc, to discuss Sophos Uncovering New Version of Snatch Ransomware!

Visit for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

December 10, 2019

Security News

  1. How Panasonic is using internet honeypots to improve IoT device security – This is really cool: in order to ensure development teams have as much information about potential security vulnerabilities in products as possible, both unreleased and on-the-market products are placed in the honeypots, which are monitored to gain insight into how devices are attacked by real-world hackers. “We deploy our real appliances as a honeypot and we collect attacks and malware targeting our devices. We can deploy products under development as well,” Osawa explained. The Panasonic IoT threat-intelligence platform has been active for two years and in that time the company has collected information on about 30 million cyberattacks and 4,000 kinds of IoT malware – all attacks that are targeting real devices put through the security tests.
  2. A new Windows 10 ransomware threat? Examining claims of a potentially unstoppable vulnerability – Lets clear up the sensational headline, first this is a vulnerability in Microsoft’s CFA (Controlled Folder Access): The idea behind CFA is simple: if you haven’t prevented malware from executing on the system…CFA can at least provide protection by thwarting the main thing that ransomware does: encrypt key files. and an example of one of the bypass techniques is as follows: in the “RIPlace” technique, malicious code replaces the file with its encrypted version rather than deleting the file first. Based on conversations with Nyotron, this situation occurs due to an error in the way that CFA is monitoring files to protect them. Also important to note, Microsoft is not motivated to fix this issue.
  3. Birth Certificate Data Laid Bare on the Web in Multiple States – Basically someone is operating with their pants down and has no clue: The bucket contained more than 752,000 applications, with names, addresses, email, phone numbers, family member info, dates of birth and the reason for making the application. According to TechCrunch, which verified the data, the bucket is still open – and updates daily. In one week, it added 9,000 applications to the database. The owner didn’t respond to multiple contact efforts; Amazon said that it would notify the owner, but no action has been taken, according to Fidus. For that reason, the company has not been named.
  4. ‘Hackable’ karaoke and walkie talkie toys found by Which? – Looks like basic Bluetooth pairing vulnerabilities: A stranger could, for example, use a Vtech’s KidiGear walkie talkie to pair to another one of the devices being used by a child – from a distance of up to 200m (656ft). The Bluetooth pairing of devices, however, would have to take place within a 30-second window, once the child’s device was activated. and Which? also found that the Singing Machine SMK250PP karaoke machine had been designed so that a stranger could stream audio to a child from a distance of up to 10 metres because the Bluetooth connection did not ask for authentication.
  5. Linux Bug Opens Most VPNs to Hijacking – According to researchers at University of New Mexico and Breakpointing Bad, the bug (CVE-2019-14899), “allows…an attacker to determine if…a user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.” In an advisory released this week, they noted that once a proof-of-concept exploit allowed them to determine a VPN client’s virtual IP address and make inferences about active connections, they were then able to use encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of connections. These allowed them to hijack TCP sessions and inject data into the TCP stream.
  6. Microsoft to end updates to Windows 7’s free AV software, Security Essentials – Let’s face it, if you’re still on Windows 7 you need something better than the built-in A/V from Microsoft: “No, your Windows 7 computer is not protected by MSE ((Microsoft Security Essentials)) after January 14, 2020,” the company said in a support document mainly concerned about the Extended Security Updates (ESU) being shilled to enterprises. “MSE is unique to Windows 7 and follows the same lifecycle dates for support.” Security Essentials, a free antivirus (AV) program that launched in 2008, was originally limited to consumers. However, in 2010, Microsoft expanded the licensing to small businesses, defined as those with 10 or fewer PCs. Two years after that, MSE was replaced by Windows Defender with the launch of Windows 8. Since then, Defender has been baked into each follow-up version of the OS, including Windows 10. Windows 7, though, has been stuck with MSE.
  7. New Office 365 Feature Provides Detailed Information on Email Attack Campaigns – Cool stuff: The capabilities will provide security teams with summary details about the campaign, including point of origin, pattern and timeline, size, and the number of victims. Additionally, it shows a list of IP addresses and senders, and data on messages that were blocked, ZAPped, sent to junk or quarantine, or allowed into the inbox. Campaign views will also include data on the URLs used in the attack. This information, Microsoft says, should help organizations more easily secure affected or vulnerable users, improve their security posture by eliminating configuration flaws, investigate related campaigns, and hunt and track threats that use the same indicators of compromise (IOC).
  8. Snatch ransomware pwns security using sneaky safe mode reboot – We covered this technique on Paul’s Security Weekly Episode 482 with researchers from Cyberark Labs in September 2016.
  9. Google Confirms Critical Android 8, 9 And 10 Permanent Denial Of Service Threat – CVE-2019-2232 has been rated as the most severe of three critical vulnerabilities addressed in the December Android Security Bulletin. The official NIST National Vulnerability Database description of the vulnerability says that improper input validation in the “handleRun of” could create a “possible application crash.” In other words, a maliciously-crafted message could cause a denial of service to your Android device. A permanent denial of service attack that could effectively kibosh your smartphone. “User interaction is not needed for exploitation,” the description continues, and the remote denial of service attack needs “no additional execution privileges,” for good measure. The vulnerability applies to Android 8.0, Android 8.1, Android 9 and Android 10 versions.

Expert Commentary: Tyler Robinson

  1. A New Variant of ransomware is using a novel but not NEW technique for safe mode EDR/AV evasion.

Snatch Ransomware reboots PCs into Safe Mode to bypass protection

A new variant of ransomware is using a not new but still novel technique. The Snatch ransomware is using Safe Mode after reboot to bypass EDR and AV. This variant of Ransomware is continually getting new feature sets as well as buying initial access within corporations to begin infection, exfiltration, and lateral movement. Sophos Labs have released information regarding this new feature in a blog post and as part of their 2020 report.

The ransomware uses a service that starts in Safe Mode and proceeds to encrypt the hard drive once it is rebooted. This often bypasses or limits many AV and EDR products allowing the ransomware to encrypt unimpeded. While this is nothing new, check out Episode 482 of Security Weekly, this does show that ransomware and exploit kits are often updated and feature sets improved. Additionally, the initial access vector is being shown to often be bought or sold off, with man of the targets being attributed to bad security practices such as exposing RDP to the internet, poor passwords, and external services without MFA.

So why is ransomware still such an issue in 2019? With AV/EDR, File monitoring and DLP catching so much more how are these places still having such widespread success? Not getting the fundamentals right! My prediction of 2019 still carries over to 2020, the gap between the security maturity of organizations will begin to become more apparent. Having some basics really setup correctly; good passwords, MFA on all external services, host-based firewalls blocking host to host SMB, endpoint logging (basics? Sysmon is free!), proper file share permission, basic network segmentation for servers and services.

So Snatch and it’s new feature-set is pretty novel but I see this as just another variant of ransomware so keep up working on the list of fundamentals and don’t worry so much about locking down safe mode. This may not be as dangerous for corps due to network protections hopefully (hahah) and much of the really important data should be on a network share that is backed-up and typically not mounted during safe mode.


Paul Asadoorian
Paul Asadoorian – Founder & CTO
Tyler Robinson
Tyler Robinson – Managing Director of Network Operations