PSW #734 – Mark Boltz-Robinson, Hanine Salem
This week, we start the show off with an interview featuring Mark Boltz-Robinson, the Manager of the ADRP Team at Trellix, about the State of the SOC today! Next up, we welcome Dr. Hanine Salem, a Managing Partner at Novus Consulting Group, to discuss K-12 Cybersecurity Attacks!! Finally, in the Security News: Military intelligence, Chrome updates, an exploit for the firewall, racing the kernel, creepy spyware goes away(?), weaponizing security complexity, same old tricks, the largest crypto hack, suing journalists, targeting your battery backup, the teenager behind Lapsus$, spring exploits just in time for spring, & hacking your Honda Civic!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Mark is currently involved in building a security operations center for a large organization with an established infrastructure and teams already in place. In this chat, we'll explore the state of the SOC today, the challenges of building one, the reality versus expectations roles, what is SOAR'ing and not, and more. Tangential paths will likely be followed, as information security is fun to talk about in general!
Mark has been in information security for about 30 years, starting off in academia, and focused on networking, to moving to Unix systems, and then into firewalls, VPNs, load balancing/clustering technologies, and IDS/IPS. He briefly worked with Sourcefire, teaching Snort, Sourcefire, and Snort Rule Writing. After joining McAfee, he lent expertise as a product-side consultant, before changing paths to get into consulting on all things defensive – blue team work including DFIR, threat hunting, threat intelligence, holistic security improvements, compliance, and more.
With an alarming increase in K-12 cybersecurity attacks, districts are considering new ways to protect their students and staff. With the need to increase the cybersecurity talent pipeline, the solution to the problem is much larger than just increasing protective technology measures to keep schools safe. Schools must also be proactive in training the next generation of cybersecurity experts.
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Dr. Hanine Salem, Managing Partner at Novus Consulting Group, has over 20 years of executive-level experience in education and human capital development. As part of her affiliation with large international organizations, she led major educational reform initiatives in the Middle East region. Her interest is concerned with improving leadership’s decision-making process through rigorous policy analysis combined with results-oriented public management methods such as strategic planning and program evaluation.
While serving as the associate director of the Education Unit at RAND Corporation, her work largely focused on K-12 and higher education reform, evaluation of the implementation of education policies, and examination of topics related to human capital formation and skills attainment in the MENA region and around the world. In her capacity as regional office director, she served as an advisor to several senior officials engaged in ambitious development and reform initiatives. Prior to that, Dr. Hanine served as a UNDP senior advisor to two ministers of administrative reform. She introduced concepts of organizational performance management and measurement systems into several governments as well as designed several national performance-based reporting systems. In addition to her several leadership roles, Dr. Hanine previously taught at universities in the US and the Middle East and made numerous presentations at prestigious venues around the world in her fields of expertise.
This week in the Security News: Military intelligence, Chrome updates, an exploit for the firewall, racing the kernel, creepy spyware goes away?, weaponizing security complexity, same old tricks, the largest crypto hack, suing journalists, targeting your battery backup, the teenager behind Lapsus$, spring exploits just in time for spring, and hacking your Honda Civic, & more!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 1. New Army unit will combine military intelligence with open source data on foreign adversaries - We are not already doing this? - "By blending military intel with commercial data, publicly available information on foreign adversaries and certain national intelligence systems, it will provide insight necessary for Army Cyber Command to operate and defend networks and influence foreign audiences, the spokesperson added."
- 2. Researchers Used a Decommissioned Satellite to Broadcast Hacker TV
- 3. CVE-2022-1026: Kyocera Net View Address Book Exposure - "While the API supports authentication, and the thick client performs this authentication, while capturing the SOAP requests, it was observed that the specific request to extract an address book, `POST /ws/km-wsdl/setting/address_book` does not require an authenticated session to submit. Those address books, in turn, contain stored email addresses, usernames, and passwords, which are normally used to store scanned documents on external services or send to users over email."
- 4. A critical RCE vulnerability affects SonicWall Firewall appliances
- 5. Racing against the clock — hitting a tiny kernel race window - Haven't gone through all the technical details, but this seems to be the point: "This also demonstrates that even very small race conditions can still be exploitable if someone sinks enough time into writing an exploit, so be careful if you dismiss very small race windows as unexploitable or don't treat such issues as security bugs."
- 6. Creepy Spyware Company Claims It’s Broke Right Before Asset Seizure - Weird, they just closed up shop, perhaps burning it down to re-emerge and not be under fire from German authorities? "The company, which is known for its powerful and invasive malware “FinSpy,” has been under investigation by the German government since 2019 over allegations that it illegally sold spyware to the government of Turkey without acquiring the requisite export license. The spyware, which was allegedly used to monitor the phones of political activists in the country, is known for its ability to pilfer data and listen-in on mobile users."
- 7. EXCLUSIVE Hackers who crippled Viasat modems in Ukraine are still active- company official
- 8. Researchers release car exploit that allows hackers to lock, unlock and start Honda’s
- 9. How Security Complexity Is Being Weaponized - Marty summed it up nicely right here: "As environments grow noisier with context-free security alerts and a constant flood of log data, it becomes easier for attackers to intentionally create distractions that make it possible for them to conceal their activities inside the network."
- 10. Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA - So yea, like we know this works, so does Lapsus$: "“No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”" - Does simply rate-limiting this fix it?
- 11. “VMware Spring Cloud” Java bug gives instant remote code execution – update now! - Great explanations of Spring and the exploit path in this post: "If the person calling your Java function via the web (to look up a username in a database, for example, or to check if a specific SKU is in stock) inserts a specific HTTP header into their web request, and if that header contains Spring code structured in the right way… …then the code in that header gets executed on the server, right inside the Spring Cloud server world. In other words, unauthenticated, uncomplicated remote code execution (RCE)."
- 12. Largest Crypto Hack Ever Nabs $625 Million From Ronin Network - "The hacker’s crypto wallet, which is available to view on Etherscan, shows that most of the funds haven’t been moved since they were extracted from the Ronin Network. But there’s evidence the hacker is trying to move tiny amounts of crypto in several transactions, perhaps a way to figure out what avenue might be safe for extracting the wealth."
- 13. Chrome Browser Gets Major Security Update - From the Google post: "Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL." (https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html) - I really like how Google is not afraid to list out the tools that people use to find vulnerabilities in their own products, nice!
- 14. Ubiquiti seeks $425 million in damages against industry blogger Brian Krebs - I think this is a stretch: "Ubiquiti said it promptly notified customers of the attack and instructed them to take additional security precautions to protect their information. Ubiquiti then notified the public in the next filing it made with the SEC, but they claim Krebs intentionally disregarded the steps the company took to target Ubiquiti and increase ad revenue by driving traffic to his website" - at least the "intentionally disregarded" on Krebs part, I'm on team Krebs. And oh look, there's this too: "Corey Quinn, chief cloud economist at the Duckbill Group calls into question the Ubiquiti lawsuit and pointed out that the law firm representing Ubiquiti, Clare Locke LLP in Alexandria, Virginia, has a long history of suing media companies. " (https://twitter.com/QuinnyPig/status/1508965090019577856)
- 15. Cyberattackers Target UPS Backup Power Devices in Mission-Critical Environments - "For instance, bad actors can use them as a jumping-off point to breach a company’s internal network and steal data. Or, in a grimmer scenario, they could be used to cut power for mission-critical appliances, equipment or services, which could cause physical injury in an industrial environment, or disrupt business services, leading to significant financial losses." - Also, it seems default credentials are the way attackers are getting in, which is bad.
- 16. Alvaro Muñoz ???????????? on Twitter
- 17. Microsoft Azure Defender for IoT vulnerabilities could lead to ‘full network compromise’ - Damn, I had high hopes for Azure for IoT too, hopefully MS can turn it around: "Given that Defender for IoT is a security product itself, SentinelLabs says that is research “raises serious questions about the security of security products themselves and their overall effect on the security posture of vulnerable sectors.”"
- 18. Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal - "The boy's father told the BBC his family was concerned and was trying to keep him away from his computers. Under his online moniker "White" or "Breachbase" the teenager, who has autism, is said to be behind the prolific Lapsus$ hacker crew, which is believed to be based in South America."
- 1. A hacker stole $625 million from the blockchain behind NFT game Axie Infinity
- 2. Viasat shares details on KA-SAT satellite service cyberattack
- 3. EXCLUSIVE Hackers who crippled Viasat modems in Ukraine are still active- company official
- 4. Researchers Expose Mars Stealer Malware Campaign Using Google Ads to Spread
- 5. Honda Civics vulnerable to remote unlock, start hack
- 1. Estonian Tied to 13 Ransomware Attacks Gets 66 Months in Prison – Krebs on Security - An Estonian man was sentenced today to more than five years in a U.S. prison for his role in at least 13 ransomware attacks that caused losses of approximately $53 million. He is also ordered to pay $36 million in restitution.
- 2. Honda Civics vulnerable to remote unlock, start hack - Researchers have found a vulnerability that can be exploited through a replay attack to unlock and remotely start certain Honda and Acura vehicles made between 2016 and 2020. The attack captures radio frequency signals sent to the car from a key fob and replays them at a later time. The researchers recommend that the car manufacturers use “rolling” or “hopping” codes.
- 3. Microsoft is adding a new driver-blocklist feature to Windows Defender on Windows 10 and 11 - Microsoft is adding a Vulnerable Driver Blocklist to Windows Defender on Windows 10, Windows 11, and Windows Server 2016 or newer. The blocklist will comprise information from Microsoft and from OEM partners.
- 4. FBI: Triton Malware is Being Used Against Energy Companies - The FBI has issued a TLP: White Private Industry Notification warning that Triton malware, also known as Trisis, is still a threat to critical infrastructure industrial control systems (ICS) around the world. The bulletin describes the threat, including the 2017 Triton attacks targeting a petrochemical company in the Middle East.
- 5. Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability - The Ukrainian Security Service (SSU) has revealed it has shuttered more than 100,000 bogus social media accounts that were part of a bot farm operated out of Kharkiv, Cherkasy, Ternopil, and Zakarpattia that was spreading fake news over social media designed to instill fear and discourage Ukrainian citizens from defending their country.
- 6. Ukraine war: Major internet provider suffers cyber-attack - Ukrainian national telecommunications operator Ukrtelecom says it is now trying to restore Internet service in Ukraine after being hit by a "major cyber-attack" that resulted in connectivity dropping to just 13 percent of pre-war levels throughout the country. Service is being restored on a priority basis. What would you do if your ISP was offline? Do you know where you fit on their service restoration plan?
- 7. Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability - Google on 3/25 shipped an out-of-band security update to address a high severity vulnerability in its Chrome browser that it said is being actively exploited. Updates are also available for chromium browsers such as Brave and Edge.
- 8. While Twitter suspends Anonymous accounts, the group hacked VGTRK Russian Television and Radio - While Twitter suspends some Anonymous accounts, the collective hacked All-Russia State Television and Radio Broadcasting Company (VGTRK).
- 9. Sophos Firewall affected by a critical authentication bypass flaw - Sophos has addressed a critical vulnerability, tracked as CVE-2022-1040, in its Sophos Firewall that allows remote code execution (RCE). Sophos has released a hotfix that can be automatically installed. There are no mitigations for this flaw. Make sure you're on a supported firmware revision.
- 10. Russian aviation authority switches to paper after losing 65TB of data - The Federal Air Transport Agency Rosaviatsiya is responsible for overseeing the civil aviation industry in Russia. Its website favt.ru went offline on Monday and has been unreachable since. "Due to the temporary lack of access to the Internet and a malfunction in the electronic document management system of the Federal Air Transport Agency, the Federal Air Transport Agency is switching to a paper version," reads the Rosaviatsiya statement signed by the agency's head Alexander Neradko.
- 1. EMBER BEAR: Threat Actor Profile | CrowdStrike - EMBER BEAR is an adversary group aimed at creating public mistrust in targeted institutions and degrading government ability to counter Russian cyber operations
- 2. Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure | CISA - Actions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber Posture. • Patch all systems. Prioritize patching known exploited vulnerabilities. • Implement multi-factor authentication. • Use antivirus software.• Develop internal contact lists and surge support.
- 3. Surveillance software firm FinFisher declares insolvency - Munich-based spyware company FinFisher declared insolvency last month, Bloomberg reported Monday, amid an ongoing investigation into its business dealings.
- 4. Mitigating Attacks Against Uninterruptible Power Supply Devices - Mitigate attacks against UPS devices by immediately removing management interfaces from the internet.
- 5. Cyberattackers Target UPS Backup Power Devices in Mission-Critical Environments - The active attacks could result in critical-infrastructure damage, business disruption, lateral movement and more.