Security Weekly
Paul's Security WeeklySubscribe
Security Staff Acquisition & Development, Threat Management, Vulnerability Management, Compliance Management

We’re A Lot Happier – PSW #686

This week, we welcome David Hétu, Chief Research Officer at Flare Systems, to discuss How Illicit Markets Really Operate! In the second segment, we jump right into the Security News Microsoft Exchange had some vulnerabilities, how could you not hear about them?, Russians try to throttle Twitter, silicon valley security camera company has been breached and we get to see what it looks like as they make Teslas in China, Did I mention that there was an Exchange hack?, free tool release to help secure the supply chain (but not Russians with bags of cash), the best practices aren't always the best, advanced Linux malware and how not to encrypt C2 and hide files,network-based multi-domain macro-segmentation situational awareness for compliance, & more! Then We close out the show with a special pre-recorded interview featuring Assaf Dahan, Head of Threat Research at Cybereason, on "Ransomware Research, Threats, and Futures"!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. How Illicit Markets Really Operate – David Hétu – PSW #686

David has been studying the structure, size and scope of illicit markets for over 10 years. He has come to realize just how fragmented illicit markets are, how a few select vendors often control most of the sales, and how important social bonds are even in the context of anonymous illicit markets.

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Guest

David Hétu
David Hétu
Chief Research Officer at Flare Systems

David Hétu is a co-founder and Chief Research Officer of Flare Systems. David has a Ph.D. in criminology from the Université de Montréal. His main research interest is in online illicit markets and the impact of technology on crime. David’s research has been published in the highest academic journals (ex. British Medical Journal) and presented at leading conferences. David and his team will be launching the BSides MTL conference in the Fall 2021.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Larry Pesce
Larry Pesce
Product Security Research and Analysis Director at Finite State
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Russian regex, John McAfee, Verkada Hack, & Microsoft Exchange – PSW #686

Microsoft Exchange had some vulnerabilities, how could you not hear about them?, Russians try to throttle Twitter, silicon valley security camera company has been breached and we get to see what it looks like as they make Teslas in China, Did I mention that there was an Exchange hack?, free tool release to help secure the supply chain (but not Russians with bags of cash), the best practices aren't always the best, advanced Linux malware and how not to encrypt C2 and hide files, and network-based multi-domain macro-segmentation situational awareness for compliance, & more!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. Scanning for Secrets in Source Code
  2. 2. John McAfee Indicted for ICO Manipulation, Securities Fraud – Security Boulevard
  3. 3. BEST PRACTICES – 9 must-do security protocols companies must embrace to stem remote work risks
    Bleh, these articles simply don't help. I get the goal may be to present security in a simplistic way so that the majority of people can understand. However, watering it down too much results in useless advice, like this: "Secure home router. It’s essential to take simple steps to protect your home internet and change your router’s password to stop your network from being vulnerable." I'd argue these problems fall on us as security professionals to make security something that we worry about and improve, rather than the end-users.
  4. 4. Compliance – The Invisible Hand Guiding Cybersecurity
    Uhm, little or no human intervention? Really? Please explain... "A secure configuration management tool combines network monitoring and Endpoint Protection methodology to compare monitored systems against an approved configuration baseline or a golden image. Deviation from this baseline, known as test failures, can usually be corrected with little or no human intervention."
  5. 5. F5, CISA Warn of Critical BIG-IP and BIG-IQ RCE Bugs
  6. 6. Researcher finds 5 privilege escalation vulnerabilities in Linux kernel
  7. 7. Microsoft Windows Containers Privilege Escalation – Exploitalert
  8. 8. What we know about the attack targeting Microsoft Exchange Servers
  9. 9. Linux Systems Under Attack By New RedXOR Malware
    OMG, it's so hidden! "After execution, RedXOR creates a hidden folder (called “.po1kitd.thumb”) inside a home folder, which is then utilized to store files related to the malware. Then, it creates a hidden file (“.po1kitd-2a4D53”) inside this folder. The malware then installs a binary to the hidden folder (called “.po1kitd-update-k”), and sets up persistence via “init” scripts."
  10. 10. Idaho Man Charged With Hacking Into Computers in Georgia
    "Hacking" is not the term I would use here: "Between June 2017 and April 2018, Purbeck is accused of buying the usernames and passwords to computer servers belonging to multiple Georgia victims and then using that information to access their computer to steal personal information." Also, one of his handles was "studmaster", so, there's that.
  11. 11. “Puss in Boots” and social engineering
    An outstanding example of social engineering: "The cat asks his master to bath naked in the river and hides his clothes afterwards. Then, he stops the royal carriage under the pretence that his master has been robbed and requests the king’s assistance. This event exemplifies an important stage in every scam, the “hurrah”. It is an artificially induced crisis to force the victim to take a rush decision. " Also, an extremely well-written article, a refreshing change of pace :)
  12. 12. New Side-Channel Attack Targets Intel CPU Ring Interconnect
  13. 13. 5 free network-vulnerability scanners
    Free is more like a trial and not full-featured software. They all do it differently, Tenable allows you to scan 16 IP addresses, Rapid 7 has a community edition that is good for one year. I could not find a chart listing the differences between these versions, are they limited in comparison to the commercial version.
  14. 14. Hack of ‘150,000 cameras’ investigated by camera firm
  15. 15. Linux Foundation launches software signing service
    LOL: "The “sigstore aims to make all releases of open source software verifiable, and easy for users to actually verify. I’m hoping we can make this easy as exiting vim,” said Dan Lorenc of Google’s Open Source Security Team, joking about the tough-to-quit text editor." Also, how do we prevent a developer who maintains a large and popular open-source project from Russians who drop a bag filled with $20 million cash from introducing a backdoor. More eyes on it? Maybe, but the codebase is so large and complex I'd bet it would go undiscovered for a really long time, long enough to buy your own island...
  16. 16. Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)
  17. 17. Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks
    "SoC Ring interconnect is an on-die bus arranged in a ring topology which enables intra-process communication between different components (aka agents) such as the cores, the last level cache (LLC), the graphics unit, and the system agent that are housed inside the CPU. Each ring agent communicates with the ring through what's called a ring stop. To test their hypothesis, the researchers reverse-engineered the ring interconnect's protocols to uncover the conditions for two or more processes to cause a ring contention, in turn using them to build a covert channel with a capacity of 4.18 Mbps, which the researchers say is the largest to date for cross-core channels not relying on shared memory, unlike Flush+Flush or Flush+Reload."
  18. 18. Threat Alert: z0Miner Is Spreading quickly by Exploiting ElasticSearch and Jenkins Vulnerabilities
  19. 19. Google Chrome to block port 554 to stop NAT Slipstreaming attacks
    How would this impact enterprises? "Chrome briefly blocked port 554 before, but it was unblocked due to complaints from enterprise users. However, we have now achieved rough consensus at https://github.com/whatwg/fetch/pull/1148 to block 554"
  20. 20. Israeli spyware firm NSO Group faces renewed US scrutiny
    How do we feel about companies such as this: "The Israeli company, which makes hacking software that it sells to foreign governments and law enforcement authorities for the stated purpose of tracking terrorist and criminals, has faced a number of allegations that its clients have used its software to target journalists, government officials and human rights campaigners."
  21. 21. How I Might Have Hacked Any Microsoft Account
    "Putting all together, an attacker has to send all the possibilities of 6 and 7 digit security codes that would be around 11 million request attempts and it has to be sent concurrently to change the password of any Microsoft account (including those with 2FA enabled). It is not at all a easy process to send such large number of concurrent requests, that would require a lot of computing resources as well as 1000s of IP address to complete the attack successfully."
  22. 22. Passing a compliance audit in the cloud doesn’t have to be hard
    Hrm, maybe? "Once the automation is in place in the cloud, passing audits will be a matter of routine rather than a source of anxiety."
  23. 23. Hackers access 150,000+ security cameras in massive Verkada hack
    "It is being reported that more than 100 Verkada Inc. employees had access to thousands of cameras used by its customers whilst they were unaware that the company could peer through their cameras. This list of these customers/clients includes police departments, schools, top firms, and hospitals, etc."
Larry Pesce
Larry Pesce
Product Security Research and Analysis Director at Finite State
  1. 1. Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github
  2. 2. Russian attempt to throttle Twitter appears to backfire
  3. 3. Multiple Attack Groups Exploited Microsoft Exchange Flaws Prior to the Patches
  4. 4. Git clone vulnerability announced – The GitHub Blog
  5. 5. Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals
  6. 6. Bitflips when PCs try to reach windows.com: What could possibly go wrong?
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
  1. 1. F5 urges customers to patch critical BIG-IP pre-auth RCE bug
    F5 Networks released patches for four critical remote code execution flaws affecting most BIG-IQ and BIG-IP software versions. CVE-2021-22986 allows unauthenticated remote attackers to execute arbitrary commands on compromised BIG-IP devices. The other vulnerabilities, CVE-2021-22987, CVE-2021-22991, and CVE-2021-22992, are also listed as Critical and allow authenticated remote attackers to execute arbitrary system commands.
  2. 2. Email Hackers Defraud TM Supermarkets Of $22 Million In BEC Scam
    Hackers have reportedly defrauded Zimbabwe's TM Supermarkets out of some $22 million in what appears to be a business email compromise (BEC) scam in which unidentified hackers emailed instructions to the supermarkets' bank (Steward Bank) requesting that it transfer funds to four attacker-controlled accounts.
  3. 3. Tesla Shanghai factory among sites exposed in huge security camera hack
    An international hacker collective says it breached a massive amount of security camera data collected by San Mateo, Calif.-based start-up Verkada and accessed live camera feeds live feeds from 150,000 surveillance cameras located inside hospitals, prisons, schools, police departments, and companies, including Tesla Inc.
  4. 4. iPhone, iPad and Mac security: Apple releases fixes for bug that could allow code execution via malicious web content
    As part of its macOS Big Sur 11.2.3, iOS 14.4.1, and iPadOS 14.4.1 security fixes, Apple has addressed a memory-related vulnerability (CVE-2021-1844) affecting its WebKit browser engine used by Safari on iPhones and MacBooks that could lead to arbitrary code execution if victims visit a website hosting malicious code.
  5. 5. 9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware
    Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store. This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully, and changes the payload dropped from a non-malicious payload to the AlienBot Banker and MRAT.
  6. 6. Google, Linux Foundation, Red Hat release free tool to secure software supply chains
    Sigstore tool will provide the infrastructure for developers to cryptographically sign software releases, container images, or binaries and then save signing proof in public and auditable logs. Google described the new project as “Let’s Encrypt for Code Signing.” The Linux Foundation, which is formally hosting and shepherding the project, said Sigstore was created to address the problem of software supply chain security.
  7. 7. A Basic Timeline of the Exchange Mass-Hack — Krebs on Security
    Timeline of what happened when and why we're in a fix-it-now rather than patch Tuesday cycle.
  8. 8. Microsoft’s MSERT tool now finds web shells from Exchange Server attacks
    Microsoft has pushed out a new update for their Microsoft Safety Scanner (MSERT) tool to detect web shells deployed in the recent Exchange Server attacks. Tool scans and removes (by default) discovered web shells.
  9. 9. Everything you need to know about the Microsoft Exchange Server hack
    What happened, vulnerabilities explained, mitigation/patch options. Scope of attack.
  10. 10. Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 – Microsoft Security Response Center
    Mitigation to the vulnerabilities. These require service disablement and can be intrusive. PS you still need to patch.
  11. 11. Unpatched QNAP devices are being hacked to mine cryptocurrency
    Unpatched network-attached storage (NAS) devices are targeted in ongoing attacks where the attackers try to take them over and install cryptominer malware. Update firmware/software, review accounts, review installed software, add the QNAP MalwareRemoval app.
  12. 12. Idaho Man Charged With Hacking Into Computers in Georgia
    An Idaho man faces federal charges after authorities say he hacked into the computers of a Georgia city and Atlanta area medical clinics. He purchased credentials for the targeted systems online.
  13. 13. Docker Hub and Bitbucket Resources Hijacked for Crypto-Mining
    Aqua Security observed that attackers created 92 malicious Docker Hub registries and 92 Bitbucket repositories in just four days, indicating a resurgent crypto-mining campaign in which attackers are using those resources to infect targeted systems with the "Monero" cryptominer and mine for cryptocurrency.
  14. 14. About 580,000 SIA KrisFlyer and PPS members affected by external data leak
    Singapore Airlines (SIA) has disclosed it suffered a data breach after third-party information technology firm Sita's passenger service system servers were compromised and leaked some 580,000 SIA KrisFlyer and POS programmes members' personally identifiable information (PII). The connection is via Star Alliance Data which allowed Sitka to access data from all other airlines.
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

3. Ransomware Research, Threats, and Futures – Assaf Dahan – PSW #686

Assaf Dahan, Sr Director, Head of Threat Research at Cybereason, discusses current trends in ransomware research. What happens when we're not watching or watching the wrong indicators? And threat actor handoff off pillaging to Cyber Merenaries.

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Guest

Assaf Dahan
Assaf Dahan
Sr Director, Head of Threat Research at Cybereason

Assaf has over 15 years in the InfoSec industry. He started his career in the Israeli Military 8200 Cybersecurity unit where he gained extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing methodologies, and specialized in malware analysis, reverse engineering and threat intelligence.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory

Related