PSW #730 – Alissa Torres & Rich Mogull
This week, we start the show off with the Security News for this week: Was It Russia?, Blocking software updates, crowd-sourced attacks, protecting FPGAs, moving Linux to modern C, Nvidia hit, the split of cyber criminals, Namecheap banning, Anonymous declares war, the Alan framework, and leaving your Docker port exposed... & more! Next up, we welcome Alissa Torres, Senior Threat Hunter at Palo Alto Networks, to explain how to “Hack the Hiring Process”! Last up, the a pre-recorded interview featuring Rich Mogull from FireMon, to discuss The Unique Challenges of Companies Born in the Cloud!
Segment Resources: Alissa's class with Antisyphon InfoSec Training Advanced Endpoint Investigations - https://www.antisyphontraining.com/advanced-endpoint-investigations-w-alissa-torres/ Visit https://securityweekly.com/firemon to learn more about them!
Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Full Audio
Segments
1. Ukraine, Russia, Cyber-Warfare, Sanctions, Conti Split, & Blocking Software Updates – PSW #730
In the Security News for this week: Was it Russia?, Blocking software updates, crowd-sourced attacks, protecting FPGAs, moving Linux to modern C, Nvidia hit, the split of cyber criminals, Namecheap banning, Anonymous declares war, the Alan framework, and leaving your Docker port exposed, & more!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Hosts
- 1. Would Banning Russia From Getting Software Updates Make It Easier to Hack?"The ban on software updates, specifically, captured the attention of cybersecurity experts. One of the most basic pieces of advice for consumers and companies is to make sure all software is updated to the latest version, because known vulnerabilities are patched out. If Russia was prevented from updating software, this would, in theory, make unpatched systems easier to hack. Dmitri Alperovitch, a cybersecurity veteran and the chairman of the Silverado Policy Accelerator, told Motherboard in an online chat that such a ban is “just going to drive them even more towards open source [software].”"
- 2. Crowd-sourced attacks present new risk of crisis escalation"From our perspective, this sudden appearance of many different highly motivated actors of wildly differing levels of capability presents a special hazard given the current political environment. Even low-capability actors have a possibility of getting lucky, and if they get lucky in the wrong place, real-world consequences could come into play. These groups may be mistaken for state-sponsored organizations, without understanding what kind of reactions they might trigger. This is our greatest concern, that the response to a misattributed attack will lead to an escalation in the conflict. "
- 3. Protecting Field Programmable Gate Arrays From Attacks"Features like side-channel attack protection, anti-tampering, and anti-cloning help FPGAs provide hardware-enforced isolation, identity management, and accelerated authentication."
- 4. Hackers Begin Weaponizing TCP Middlebox Reflection for Amplified DDoS Attacks
- 5. Reality Winner’s Twitter account was hacked to target journalists"Reality Leigh Winner is an American former intelligence specialist who, in 2018, was sentenced to five years and three months in prison for unauthorized release of classified information to the media."
- 6. Linus Torvalds prepares to move the Linux kernel to modern C"So why bother? The change being made doesn't include useful features that appear in newer versions. The situation came to Torvald's attention when, in order to patch a potential security problem with the kernel's linked-list primitive speculative-execution functions, another problem was revealed in the patch. While fixing this, Torvalds realized that in C99 the iterator passed to the list-traversal macros must be declared in a scope outside of the loop itself. "
- 7. Nvidia Hit by Possible Cyber Attack – ExtremeTech"Given the timing of the attack, it certainly raises questions about if it’s at all tied to the recent Russian aggression in Ukraine as the cyber attack began at roughly the exact same time as the Russian incursion into Ukraine. Shortly thereafter, the US announced major sanctions against Russia in retaliation for its actions, so it’s possible that hackers friendly with Russian interests could be counter-attacking, and a huge and important company like Nvidia would certainly be a juicy target. However, several days ago the Secretary of the Department of Homeland Security, Alejandro Mayorkas, said the US doesn’t know of any specific and credible threats targeting US companies at this time, but that companies should be prepared just in case. " - Every breach is not Russia, or is it?
- 8. DarkTracer : DarkWeb Criminal Intelligence on Twitter
- 9. vx-underground on Twitter
- 10. Conti ransomware gang chats leaked by pro-Ukraine memberInteresting how this is split: "A member of the Conti ransomware group, believed to be Ukrainian of origin, has leaked the gang’s internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site, on Friday, in the aftermath of Russia’s invasion of Ukraine. The message appears to have rubbed Conti’s Ukrainian members the wrong way, and one of them has hacked the gang’s internal Jabber/XMPP server. Internal logs were leaked earlier today via an email sent to multiple journalists and security researchers."
- 11. Namecheap is banning Russians, asks them to switch registrarsGood idea? "Namecheap also asked Russian users to move their top-level domains to other providers until March 6 and offered to help those who reach out for assistance with the move. "
- 12. Alan FrameworkNeat C2 framework: "You can run your preferred tool directly in-memory, JavaScript script execution (in-memory without third party dependency), Supported agent types: Powershell (x86/x64), DLL (x86/x64), Executable (x86/x64), Shellcode (x86/x64), Server.exe can be executed in Linux (via dotnet core), The network communication is fully encrypted with a session key not recoverable from the agent binary or from a traffic dump, Communication performed via HTTP/HTTPS, No external dependencies or libraries need to be installed, A powerful command shell, The agent configuration can be updated on the fly (you can change port and protocol too)"
- 13. Triaging A Malicious Docker Container – Sysdig"If your endpoint must be exposed, Docker recommends configuring a docker context in order to only expose the Docker socket to users who are able to log into the Docker host via SSH. An alternative, and also complementary solution to creating a docker context, is a zero-trust infrastructure architecture, where only known or signed containers are allowed to run. In addition, proper zero-trust implementations necessitate that communication between containers is only possible when containers are able to authenticate among themselves via pre-shared certificate."
- 1. CIT (en) on Twitter
- 2. Scott Tilley ???????? on Twitter
- 3. Michael Weiss ???? on Twitter
- 4. TRANSLATED Conti Leaked Comms
- 5. IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine
- 6. Radio related news on UkraineThere is a lot to take in on this one...
- 1. CISA, FBI warn US orgs of WhisperGate and HermeticWiper malwareThe Cybersecurity and Infrastructure Security Agency (CISA) and FBI released new guidance on the WhisperGate and HermeticWiper malware strains in a joint advisory this weekend.
- 2. Google pulls RT, Sputnik from Play Store as EU ban looms – TechCrunchGoogle has followed Microsoft and Apple’s lead and removed the apps of Russia Today (RT) and Sputnik from its mobile app Store, Play, per Reuters. The two Kremlin-linked media outlets were sanctioned in the European Union following Russia’s invasion of Ukraine.
- 3. New data-wiping malware used in destructive attacks on UkraineCybersecurity firms have found a new data wiper used in destructive attacks today against Ukrainian networks just as Russia moves troops into regions of the country. ESET telemetry shows that it was installed on hundreds of machines in the country.
- 4. SockDetour Backup Backdoor Targets US Defense ContractorsA new advanced persistent threat campaign dubbed "TiltedTemple" has been spttet, in which hackers are leveraging the sophisticated "SockDetour" backdoor in attacks targeting U.S. defense contractors.
- 5. GPU giant Nvidia is investigating a potential cyberattackUS chipmaker giant Nvidia confirmed today it’s currently investigating an “incident” that reportedly took down some of its systems for two days. The Lapsus$ data extortion group claims they breached and stole 1 TB of data from Nvidia’s network. They also leaked online what they claim to be password hashes for all Nvidia employees.
- 6. Ukraine stands up to Russian cyberattacks; Putin could launch revenge attacks against US, expert warnsUkraine stands up to Russian cyberattacks; Putin could launch revenge attacks against US, expert is concerned that economic sanctions currently being levied against Russia could become justification for the Russian President to authorize revenge cyber-attacks against American computer networks – particularly those within our supply chain.
- 7. Conti ransomware group announces support of Russia, threatens retaliatory attacks – CyberScoopThe Conti ransomware group, alleged to have ties to Russian intelligence, posted a warning Friday that said it was "officially announcing a full support of Russian government." Said it would use "all possible resources to strike back at the critical infrastructures” of any entity that organizes a cyber attack "or any war activities against Russia."
- 8. Conti ransomware’s internal chats leaked after siding with RussiaA Ukrainian security researcher has leaked over 60,000 internal messages belonging to the Conti ransomware operation after the gang sided with Russia over the invasion with the Ukraine
- 9. Anonymous Hacking Group Declares “Cyber War” Against RussiaHacktivist group Anonymous has declared “cyber war” against Vladimir Putin’s government following the Russian invasion of Ukraine.
- 10. Anonymous breached the internal network of Belarusian railwaysThe Anonymous hacker collective claims to have breached the Belarusian Railway’s data-processing network.
2. Mock Interviews – Hack the Hiring Process – Alissa Torres – PSW #730
If you are amongst the legions transitioning into a cybersecurity career, mock interviews serve as critical preparation for your job hunt. Alissa has delivered over 50 of these practice sessions over the last 4 months. Get some pointers from her on how to stand out from the crowd of entry-level applicants.
Segment Resources:
Alissa's class with Antisyphon InfoSec Training **Advanced Endpoint Investigations** - https://www.antisyphontraining.com/advanced-endpoint-investigations-w-alissa-torres/
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Guest
Alissa Torres is passionate about security operations and empowering analysts to succeed in blue team ops. Her professional experience includes roles in forensic investigations, enterprise incident response and threat hunting, security services consulting and management. Alissa currently serves as a Senior Threat Hunter at Palo Alto Networks. Having taught as principal faculty for several pivotal cybersecurity training institutions over the last decade, Alissa has engaged hundreds of skilled professionals around the world, growing a legion of artifact hunters who share a common affinity for adversary tracking. An investigator at heart, she frequently shares accounts of her research discoveries and tales from the trenches at industry conferences.
Hosts
3. The Unique Challenges of Companies Born in the Cloud – Rich Mogull – PSW #730
Rich joins us to discuss the differences in managing security policies between on-premises network environments and the cloud and the impacts that has on companies that are 100% cloud-based. He’ll also be discussing the additional considerations that these organizations need to consider if they are considering SASE and SD-WAN to expand network access for their users.
This segment is sponsored by FireMon.
Visit https://securityweekly.com/firemon to learn more about them!
Announcements
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Guest
With twenty years of experience in information security, physical security, and risk management, Rich is one of the foremost experts on cloud security, having driven development of the Cloud Security Alliance’s V4 Guidance and the associated CCSK training curriculum.
Hosts
