PSW #736 – Mike Wilkes & Amanda Berlin
This week, we start the show off with an interview Mike Wilkes, Chief Information Security Officer at SecurityScorecard, for an interview about Third Party Risk Management! An interview featuring Amanda Berlin, Lead Incident Detection Engineer at Blumira! Finally, in the Security News for this week: Microsoft Zero-Days, Former Ethereum Developer Virgil Griffith Sentenced to 5+ Years in Prison for North Korea Trip, Chinese hackers are using VLC media player to launch malware, An update to Raspberry Pi OS Bullseye, Bearded Barbie hackers catfish high ranking Israeli officials & more! All that and more, on this episode of Paul’s Security Weekly!
Visit https://securityweekly.com/securityscorecard to learn more about them!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Mike Wilkes CISO at SecurityScorecard joins us to discuss third party risk research!
This segment is sponsored by Security Scorecard.
Visit https://securityweekly.com/securityscorecard to learn more about them!
Mike Wilkes is the Chief Information Security Officer (CISO) at SecurityScorecard. Wilkes is responsible for developing enterprise-wide security programs to protect corporate systems as well as growing and extending the SecurityScorecard platform to customers, executives, and boards of directors.
Wilkes is a technology evangelist with experience reaching back to the earliest days of the internet and the birth of ecommerce (he and his team built, launched, and supported starbucks.com in 1998), Mike has been leading the digital transformation of globally renowned brands such as Sony Playstation, Macy’s, nVidia, KLM, and many others. Before joining SecurityScorecard, he was the VP, Information Security at ASCAP and the Director of Information Security, Enterprise Architecture, and DevOps teams for Marvel Entertainment.
Amanda Berlin joins us to discuss what she’s been up to since her last appearance on the show. It’s only been a couple of years, but a lot has changed in that time. Tune in to hear about what changes the pandemic brought to the vision and operations of Mental Health Hackers, and how they pivoted to a virtual environment during this time. The crew talks about their experience going from traveling to 15-20+ conferences a year, down to hardly any conferences during Covid, and what their future plans are now that in-person events are coming back around. Amanda fills us in on her current role at Blumira, other business ventures, and where you can find her speaking/running a village in the near future!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Amanda Berlin is the Lead Incident Detection Engineer for Blumira and the CEO and owner of the nonprofit corporation Mental Health Hackers. She is the author of a Blue Team best practices book called “Defensive Security Handbook: Best Practices for Securing Infrastructure” with Lee Brotherston through O’Reilly Media. She is a co-host on the Brakeing Down Security podcast and writes for several blogs. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. She now spends her time creating as many meaningful alerts as possible and running incident response tabletop trainings.
Amanda is an avid volunteer and mental health advocate. She has presented at a large number of conventions, meetings and industry events. While she doesn’t have the credentials or notoriety that others might have, she hopes to make up for it with her wit, sense of humor, and knack for catching on quickly to new technologies.
This week in the Security News: Hackers have found a clever new way to steal your Microsoft 365 credentials, Former Ethereum Developer Virgil Griffith Sentenced to 5+ Years in Prison for North Korea Trip, An update to Raspberry Pi OS Bullseye, Bearded Barbie hackers catfish high ranking Israeli officials, & Nginxday!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 2. First Malware Targeting AWS Lambda Serverless Platform Discovered - "Another notable feature of the malware is its use of DNS over HTTPS (DoH) for communicating with its command-and-control server ("gw.denonia[.]xyz") by concealing the traffic within encrypted DNS queries." - Also, it doesn't target a weakness in Lamba, but checks for that environment. Original article: https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
- 3. Former Ethereum Developer Virgil Griffith Sentenced to 5+ Years in Prison for North Korea Trip - "What the judge found most damning, perhaps, was a photo of Griffith presenting at the conference, wearing a traditional North Korean suit and standing in front of a blackboard on which it read “No sanctions!” with a smiley face."
- 4. Microsoft’s New Autopatch Feature to Help Businesses Keep Their Systems Up-to-Date - Sounds like what we've been doing with 3rd party tools all along? "Updates are applied to a small initial set of devices, evaluated, and then graduated to increasingly larger sets, with an evaluation period at each progression," Microsoft said. "The outcome is to assure that registered devices are always up to date and disruption to business operations is minimized."
- 5. An update to Raspberry Pi OS Bullseye – Raspberry Pi - "Up until now, all installs of Raspberry Pi OS have had a default user called “pi”. This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place. But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials."
- 6. NginxDay - Strange disclosure: "As Nginx have now released a blog post about the public releases of information, we've emailed them with a description, some familiarities of the issue that they highlighted over and assets affected. However, people are quick to jump on the "This is fake" or "This isn't anything" bandwagon. As we got no answer to if there is any bounty offered by Nginx for the findings, we've not shared any deeper information about this. If there is no bounty or even reward, we've looked at the other option that would be to sell the exploit on either breached.co, exploit.in or other sites. (We've been offered about 200K in XMR for the exploit)." NGINX blog post: https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/
- 7. Bearded Barbie hackers catfish high ranking Israeli officials - Catphished? "After gaining the trust of the target by interacting with them for a while, the adversaries suggest migrating the conversation to WhatsApp, supposedly for better privacy. This is when the conversation takes an erotic turn, with the threat actors suggesting another pivot to a supposedly more discreet Android IM app, which is actually the VolatileVenom malware. Simultaneously, the operative sends a link to a RAR file that purportedly contains a sexual video, but which in reality is a downloader for the BarbWire backdoor."
- 8. How Bitcoin Tracers Took Down the Web’s Biggest Child Abuse Site - This is a long but amazing read. So many twists and turns, and thankfully we have investigators that don't give up and are able to take down scumbags at scale.
- 9. Amazon RDS Vulnerability Led to Exposure of Credentials - Interesting to see how this is exploited: "The log_fdw extension, AWS also notes, is pre-installed in both Aurora PostgreSQL and Amazon RDS for PostgreSQL. A privileged, authenticated user able to trigger the bug could use the leaked credentials to gain elevated access to database resources. “They would not be able to use the credentials to access internal RDS services or move between databases or AWS accounts. The credentials could only be used to access resources associated with the Aurora database cluster from which the credentials were retrieved,” AWS notes."
- 10. OpenSSH Moves to Prevent ‘Capture Now, Decrypt Later’ Attacks - "According to notes published alongside the release of OpenSSH 9.0, the open-source group will now use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default, a move that includes a backstop against future discoveries of flaws in the NTRU algorithm." - Huh? Some resources: https://ntruprime.cr.yp.to/ and https://cryptography.io/en/latest/hazmat/primitives/asymmetric/x25519/#
- 11. Apache Releases Security Advisory for Struts 2
- 12. Enemybot: a new Mirai, Gafgyt hybrid botnet joins the scene - Borrowing from Mirai, still.. "This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for cryptomining is a big possibility." Original Source: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
- 13. Microsoft Zero-Days, Wormable Bugs Spark Concern
- 14. Russia’s Sandworm hackers attempted a third blackout in Ukraine - Turn the power off once, shame on you. Let it happen again, shame on me: "In Tuesday's press briefing, SSSCIP's Zhora took the opportunity to argue that the relatively limited damage from Russia's cyber operations represents not merely Russia's lack of focus on cyberwar as it carries out a full-blown physical war, but also Ukraine's growing ability to defend itself in the digital domain. “We have been dealing with an opponent that has been constantly training us, drilling us. Since 2014 we've been under constant aggression, and our expertise is unique in how to rebuff this aggression,” says Zhora. “We're stronger. We're more prepared. And of course, we will secure victory.”"
- 15. Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware – Microsoft Security Blog
- 16. Russian Hackers Tried Attacking Ukraine’s Power Grid with Industroyer2 Malware
- 1. Microsoft takes down APT28 domains used in attacks against Ukraine - Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains that were being used by the group as attack infrastructure to hit various Ukrainian institutions and the media.
- 2. First Malware Targeting AWS Lambda Serverless Platform Discovered - Malware dubbed "Denonia" being leveraged in attacks targeting the Amazon Web Services' (AWS) Lambda serverless computing platform. Denonia is programmed in the "Go" language and includes a customized "XMRig" cryptocurrency mining variant.
- 3. SuperCare Health Data Breach Impacts Over 300,000 People - California-based respiratory care provider SuperCare Health recently disclosed a data breach affecting more than 300,000 individuals. Breached 7/23-27/21 disclosed 2/4/22 because of analysis. How long is too long?
- 4. Sandworm hackers fail to take down Ukrainian energy provider - The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical subsystems using a new version of the CaddyWiper data destruction malware.
- 5. FFDroider, a new information-stealing malware disguised as Telegram app - Researchers say they have observed threat actors leveraging a new piece of Windows information-stealing malware dubbed "FFDroider" that is disguised as the Telegram instant messaging app and specifically designed to steal targeted victims' credentials and browser cookies.
- 6. Chinese hackers are using VLC media player to launch malware attacks - According to Symantec, as part of the attacks, Cicada uses a "clean" version of VLS to drop a malicious file with VLC's export functions, which is a technique frequently used by hackers to introduce malware into legitimate software.