PSW #754 – John Hammond

Announcements

• Security Weekly is proud to partner with Hack Red Con for their first annual in-person event! Hack Red Con is happening at the Hyatt Regency in Louisville, KY from September 7th-11th. As a part of our partnership, Security Weekly listeners receive a 10% discount on registration! Visit https://securityweekly.com/hackredcon to register now! We hope to see you there!

• Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

Guest

John Hammond

Senior Security Researcher at Huntress

@johnhammond#6971

John Hammond is a cybersecurity researcher, educator and content creator. As part of the Threat Operations team at Huntress, John spends his days analyzing malware and making hackers earn their access. Previously, as a Department of Defense Cyber Training Academy instructor, he taught the Cyber Threat Emulation course, educating both civilian and military members on offensive Python, PowerShell, other scripting languages and the adversarial mindset. He has developed training material and information security challenges for events such as PicoCTF and competitions at DEFCON US. John speaks at security conferences such as BsidesNoVA, to students at colleges such as the US Naval Academy, and other online events including the SANS Holiday Hack Challenge/KringleCon. He is an online YouTube personality showcasing programming tutorials, CTF video walkthroughs and other cyber security content. John currently holds the following certifications: Security+, CEH, LFS, eJPT, eCPPT, PNPT, PCAP, OSWP, OSCP, OSCE, OSWE, OSEP, and OSED (OSCE(3)).

Hosts

Paul Asadoorian

Founder at Security Weekly

0offset

https://securityweekly.com

Josh Marpet

Executive Director at RM-ISAO

Tyler Robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

trob#6466

http://darkelement.io/

Announcements

• Security Weekly listeners save 20% on InfoSec World 2022 passes! InfoSec World will be held September 27th through the 29th at Disney's Coronado Springs Resort in Lake Buena Vista, Florida. Visit securityweekly.com/isw and use the code ISW22-SECWEEK20 to secure your spot now!

• Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Hosts

Paul Asadoorian

Founder at Security Weekly

0offset

https://securityweekly.com

1. 1. Last port of call – The Hacker Factor Blog
2. 2. Notice of Recent Security Incident – The LastPass Blog
   The look on the attacker's faces when they realized LastPass does not store the master password and such....lol
3. 3. Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows
   More details can be found here: https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/
4. 4. John McAfee’s Ex-Girlfriend Says He Faked His Death and is “Still Alive” in Texas
   I think he is roommates with 2Pac.
5. 5. Some Macs are getting fewer updates than they used to. Here’s why it’s a problem
   One reason is drivers: "But those drivers may cause just enough problems that Apple doesn't want to deal with continuing to support those older Macs officially." This is important (to me anyhow): "A decade ago, it was definitely more common to consider a computer's performance and capabilities when defining system requirements, not driver or firmware security" and represents another reason why Apple, or other manufacturers, may decide not to support older hardware. As with drivers, they don't want to support older firmware updates. And, of course, everything is a big secret: "Right now, Apple is refusing to communicate anything about its software support timeline, and it's ending support for older Intel Macs years earlier than it was in the very recent past. Apple needs to fix at least one of these problems, lest owners of late-Intel-era Macs come away feeling burned." I will end with my cliche term: "Did I tell you that I use Linux as my daily driver?".
6. 6. Vision
   Neat: "This script analyses the Nmap XML scanning results, parses each CPE context and correlates to search CVE on NIST. You can use that to find public vulnerabilities in services."
7. 7. Arya – The Reverse YARA
8. 8. Your mechanical keyboard isn’t just annoying, it’s also a security risk
   "Keytap3 is a software developed by Georgi Gerganov that can detect what keys are being pressed simply by listening at a close range with a half-decent microphone, with Gerganov demonstrating this using a mobile phone's built-in microphone in an 'acoustic eavesdropping' test on their YouTube channel."
9. 9. Anonymous poop gifting site hacked, customers exposed
   The Internet has grown to allow so many beautiful things, creative works to thrive, people to communicate across the world and so many other positive things. It has also allowed ShitExpress to set up a website where you can send your friends or enemies a box of literal shit (from animals). They also have a SQL injection vulnerability as they claim you should be anonymous if you send people poo (which is pretty shitty). Gives new meaning to "taking a shit." I suppose this is a legit example of giving a shit, and if you haven't used the site, I imagine you don't give a shit; maybe you should?
10. 10. Hackers Are Using Anti-Cheat in ‘Genshin Impact’ to Ransom Victims
    "The unnamed hackers are taking advantage of the fact that Genshin Impact’s anti-cheat system has known vulnerabilities, that it’s signed by a legitimate company—meaning Windows will run it—and because it has high privileges, meaning it has access to sensitive parts of the operating system." From Trend: "It is still rare to find a module with code signing as a device driver that can be abused. The point of this case is that a legitimate device driver module with valid code signing has the capability to bypass privileges from user mode to kernel mode. Even if a vendor acknowledges a privilege bypass as a vulnerability and provides a fix, the module cannot be erased once distributed." Also, back to issues with the signing process: " It seems that there is no compromise of the private key, so it is still not known if the certificate will be revoked. It remains valid, at least for now. "
11. 11. New fwupd 1.8.4 release – Technical Blog of Richard Hughes
    "A new tantalizing features then become available when using fwupd, as we can now read and change firmware settings. One is the ability to emulate the BIOS settings of another machine, which is fairly uninteresting to end users, but allows us the developers to reproduce bugs much easier now that we’re doing cleverer things. One more interesting deployment feature is that we also support reading out a file from /etc and applying those firmware settings at startup. This means you can now deploy a machine using something like Ansible, and have the firmware settings set up in the same way you set up the local machine state. There are lots of docs on how this all works and I encourage you to try this out and let us know how it goes. One caveat is that this doesn’t work if you have a password set on your BIOS settings, but we’re working on this for the next version."
12. 12. Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms
    Interesting targeted Phish (https://blog.group-ib.com/0ktapus)
13. 13. CISA Adds 10 New Known Actively Exploited Vulnerabilities to its Catalog
14. 14. Receipt for €8M iOS Zero-Day Sale Pops Up on Dark Web
    "Intellexa also promised the malware is delivered with just one click and uses the browser to inject the Android and iOS payload to mobile devices. The purchase price also includes data analysis, a "magazine" of 100 other infections, and even a full year's warranty. "
15. 15. Announcing Google’s Open Source Software Vulnerability Rewards Program
16. 16. HandiPi
    File this under "Neat" and "Projects that I think are cool but will probably not have time to build"
17. 17. Blind exploits to rule WatchGuard firewalls
18. 18. New UEFI CA memory mitigation requirements for signing
    "Microsoft, in conjuncture with partners in the PC ecosystem, has developed a set of capabilities and new operating environment conditions for UEFI based systems. This environment will leverage common, architecturally defined mitigations to improve the device security and boot process. For software running in this environment there are new requirements that must be adhered to. " - I read this as "We didn't do a good enough job making sure software we sign was actually secure, but we signed it anyhow. Now there will be some better requirements before we sign stuff". Also, this is a positive thing.

Josh Marpet

Executive Director at RM-ISAO

Lee Neely

Information Assurance APL at Lawrence Livermore National Laboratory

1. 1. iOS 12.5.6 Released 8/31/22
   Apple back ported webkit vulnerability CVE-2022-32893 to iOS 12.5 - install 12.5.6
2. 2. MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations – Microsoft Security Blog
   MERCURY (aka MuddyWater, Cobalt Ulster, Seedworm, static Kitten) was previously targeting VMWare instances with Log4J flaws, has now pivoted to SysAid. SysAid released Log4j patches in January, which appear not to have been applied. After you make sure that you’ve applied updates to SysAid, if you’re using it, make sure that you’re not overlooking other patches, such as VMWare, for fixes to flaws like Log4j. The attack reads like an exercise out of SANS SEC560 - the attackers are using Log4Shell flaws to get an initial footprint, then using PowerShell to drop web shells, then add a user, give it elevated privileges, and add attack tools to startup folders for persistence. From there, they are using Mimikatz for credential theft, RemCom for later movement, and send data to their C2 server using a custom version of the Ligolo tunnel/reverse proxy.
3. 3. Lloyd’s of London Excludes Some State-Sponsored Cyberattacks From Coverage
   Lloyd’s of London “set out [its] requirements for state backed cyber-attack exclusions in standalone cyber-attack policies.” Lloyd’s syndicates will be required to exclude the attacks from insurance policies starting at the end of March 2023. Can you say look-alike? Accurate attribution is hard...
4. 4. Rosenworcel Shares Mobile Carrier Responses to Data Privacy Probe
   According to the FCC, 10 of the top 15 mobile carriers collect geolocation data but do not provide a means for customers to opt-out. Most of the carriers said that they do not allow customers to opt-out because of the need to comply with requests from law enforcement and because of FCC rules.
5. 5. FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations
   The FTC has filed a lawsuit against data broker Kochava for allegedly selling geolocation data that links users to health clinics, domestic violence shelters, recovery centers, and other sensitive locations. The FTC alleges that Kochava sells data collected from “hundreds of millions of mobile devices” paired with time-stamps and Mobile Advertising IDs.

Tyler Robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

trob#6466

http://darkelement.io/