The Breath of the Targets – PSW #678
This week, Vicarius' very own Roi Cohen and Shani Dodge join us to kick off the show with a technical segment titled "Generating Threat Insights Using Data Science"! Then, Harry SverdLove from ZScaler joins us for a technical segment on "Securing The Enterprise Software Supply Chain"! In the Security News, How suspected Russian hackers outed their massive cyberattack, Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure, Zodiac Killer Cipher Solved, a Security Researcher states ‘solarwinds123’ Password Left Firm Vulnerable in 2019, Why the Weakest Links Matter, and a 26-Year-Old Turns ‘Mistake’ of Being Added to an Honors Geometry Class to Becoming a Rocket Scientist!
Visit https://securityweekly.com/vicarius to learn more about them!
Visit https://securityweekly.com/edgewise to learn more about them!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
1. Generating Threat Insights Using Data Science – Roi Cohen, Shani Dodge – PSW #678
In this world of countless vulnerabilities, we need to find a way to identify threats. Prioritizing known vulnerabilities is a step in the right direction but definitely not enough. There is a need for a customized identifying threat process.
This segment is sponsored by Vicarius.
Visit https://securityweekly.com/vicarius to learn more about them!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Roi has over 13 years of experience as a pentester, IT admin, and CISO. In his current Role as Vicarius VP Sales, he helps companies to better product their infrastructure against software vulnerabilities.
Shani is Vicarius’s machine learning expert. She’s widely experienced with binary analysis, data science, and low-level development both in the academic and practical areas.
2. Securing The Enterprise Software Supply Chain – Harry Sverdlove – PSW #678
SolarWinds is just the latest example of how the enterprise software supply chain, when compromised, can be used successfully by attackers. These coordinated and well-managed attacks prey on trust, so how can we trust our enterprise software?
This segment is sponsored by Edgewise Networks.
Visit https://securityweekly.com/edgewise to learn more about them!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Harry Sverdlove, Chief Technologist for Secure Workload Communication, Zscaler, Inc. (formerly Co-Founder and Chief Technology Officer of Edgewise Networks), was previously CTO of Carbon Black, where he was the key driving force behind their endpoint security platform. Earlier in his career, Harry was principal research scientist for McAfee, Inc. (formerly Chief Scientist of SiteAdvisor), where he supervised the architecture of crawlers, spam detectors and link analyzers. Prior to that, Harry was director of engineering at Compuware Corporation (formerly NuMega), and principal architect for Rational Software, where he designed the core automation engine for Rational Robot.
3. SolarWinds Attack, AIR-FI Technique, & Zodiac Cypher Decoded – PSW #678
In the Security News, How suspected Russian hackers outed their massive cyberattack, Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure, Zodiac Killer Cipher Solved, a Security Researcher states ‘solarwinds123’ Password Left Firm Vulnerable in 2019, Why the Weakest Links Matter, and a 26-Year-Old Turns ‘Mistake’ of Being Added to an Honors Geometry Class to Becoming a Rocket Scientist!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 1. Supply Chain Attack: CISA Warns of New Initial Attack Vectors Posing ‘Grave Risk’“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations,”
- 2. 51% of WFH Parents Say Children Have Accessed Work AccountsWe need to take the time to educate: "Nearly half of parents let children access devices with saved passwords on them, data shows, but 14% admit their kids have caused trouble by accessing an account with a saved password. One noted their child got into their bank account and wired money to a random account."
- 3. Signal App Crypto Cracked, Claims Cellebrite – Security BoulevardI will not believe it until I see it: https://www.cellebrite.com/en/blog/cellebrites-new-solution-for-decrypting-the-signal-app/
- 4. How suspected Russian hackers outed their massive cyberattack“We initially detected the incident because we saw a suspicious authentication to our VPN solution,” said Charles Carmakal, senior vice president and chief technology officer at Mandiant, FireEye’s incident response arm. “The attacker was able to enroll a device into our multi-factor authentication solution, and that generates an alert which we then followed up on.”
- 5. SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks"Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the spring of 2020, and we are in the process of notifying those organizations. Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction."
- 6. Here comes the bride: New map matches threat intel to cyberdefenses – CyberScoopSounds like they mapped NIST CSF to Mitre Att&ck. Happy dance?
- 7. Millions of Unpatched IoT, OT Devices Threaten Critical InfrastructureMore of the same, if you want to pwn stuff, just use firmware and IoT, still... "According to researchers at Armis, a whopping 97 percent of the OT devices impacted by URGENT/11 have not been patched, despite fixes being delivered in 2019. And, 80 percent of those devices affected by CDPwn remain unpatched."
- 8. We’re not saying this is how SolarWinds was backdoored, but its FTP password ‘leaked on GitHub in plaintext’
- 9. RAM-Generated Wi-Fi Signals Allow Data Exfiltration From Air-Gapped SystemsComing to an embassy near (or far away?) from you: "The AIR-FI attack relies on DDR SDRAM buses for emitting electromagnetic signals on the 2.4 GHz Wi-Fi band and for encoding data on top of these signals. A nearby Wi-Fi-capable device that has been infected with malware is used to intercept these signals, decode them, and then transmit them to the attacker, over the Internet."
- 10. Zodiac Killer Cipher Solved – Schneier on SecurityA 51-year-old cipher: "Cryptologist David Oranchak, who has been trying to crack the notorious “340 cipher” (it contains 340 characters) for more than a decade, made a crucial breakthrough earlier this year when applied mathematician Sam Blake came up with about 650,000 different possible ways in which the code could be read. From there, using code-breaking software designed by Jarl Van Eycke, the team’s third member, they came up with a small number of valuable clues that helped them piece together a message in the cipher"
- 11. Microsoft Windows DrawIconEx Local Privilege Escalation – Exploitalert
- 12. Why the Weakest Links Matter"Developer machines, source control management systems, build servers, or even sites that developers download tools from may be compromised, giving an attacker an entry point to inject malicious code. Too often, these are the weakest links in the chain, and attackers will always focus on the weak links. There's no need to spend the time and effort to attack the hard targets when there are easier options available; attackers — especially those that work for state-backed operations — have deadlines too."
- 13. Killswitch Found for Malware Used in SolarWinds HackThe profile is weird. The attackers were smart enough to backdoor Solarwinds. But yet, they reportedly stole some of Fireeye's attack tools. But then, left it easy to shut down the campaign: "During its analysis of the malware, FireEye noticed that SUNBURST had been communicating with a domain named avsvmcloud[.]com. The cybersecurity firm worked with Microsoft and registrar GoDaddy to seize control of the domain." Smoke and mirrors?
- 14. Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019This may help explain it: "Security researcher Vinoth Kumar told Reuters that he contacted the company in 2019, alerting it that anyone could access its update server by guessing the password “solarwinds123.” Reuters also reports that hackers claiming they could sell access to SolarWinds’ computers since 2017. It is not clear from the wording of the story whether the offer was for a method of infiltrating SolarWinds itself, or if the black hat was offering to sell access to computers that used SolarWinds software."
- 15. “Evil mobile emulator farms” used to steal millions from US and EU banks
- 16. ‘I Am the Dopest NASA Engineer You Will Ever Meet’: 26-Year-Old Turns ‘Mistake’ of Being Added to an Honors Geometry Class to Becoming a Rocket ScientistI want to end the year on a high note, I LOVE this story: "A second mistake happened during Williams’ freshman year in high school, when a teacher inadvertently enrolled her in an honors geometry class. Williams said she was excited, but her heart dropped when the teacher told her it was a mishap and offered to re-enroll her in a normal math class. “But by this time, I knew that mistakes were my strength,” she said. “Mistakes gave me a second chance. Mistakes have me showing a whole generation of students how cool math and science can be.” Williams forged ahead, got an A in the class, and the rest is history. In 2017, she made her first splash when she penned lyrics teaching the quadratic formula. The song explained coefficients and x-axis intercepts over the sound bed of Soulja Boy’s 2007 summer anthem “Crank Dat.” A music video for the song got thousands of views on Youtube and helped catapult Williams to a level of stardom for her catchy educational jingles."
- 1. Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach
- 2. SolarWinds hackers’ capabilities include bypassing MFA"Some companies are about to find out they actually do use SolarWinds in production…"
- 3. Linus Torvalds: ‘Nothing that looks scary’ in important new Linux kernel 5.10
- 4. Data Leak Exposes Details of Two Million Chinese Communist Party Members
- 5. Reported Russian hack of US systems has implications for DoD network security plans
- 6. Google Cloud is majorly upping its security game
- 7. Academics turn RAM into Wi-Fi cards to steal data from air-gapped systemsthis one's for Larry
- 1. FireEye Mandiant SunBurst CountermeasuresThese rules are provided freely to the community without warranty. In this GitHub repository you will find rules in multiple languages: Snort Yara IOC ClamAV
- 2. InfoSec Handlers Diary BlogSANS ISC summary on the Solarwinds event
- 3. SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain AttackSANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack - YouTube
- 4. cyber.dhs.gov – Emergency Directive 21-01Emergency Directive 21-01 December 13, 2020 Mitigate SolarWinds Orion Code Compromise - mitigations and actions required.
- 5. Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST BackdoorExecutive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.
- 6. Up to 3 million devices infected by malware-laced Chrome and Edge add-onsAs many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or malware infected sites. - This one is from Chelle (my wife)
- 7. AMNESIA:33 – ForescoutForescout Research Labs discovered 33 vulnerabilities impacting millions of IoT , OT and IT devices that present an immediate risk for organizations worldwide.
- 8. Data of 243 million Brazilians exposed online via website source codePersonally identifiable information (PII) belonging to some 243 million living and dead Brazilians was found exposed online after web developers inadvertently left the password to a government database in the source code of an official Brazilian Ministry of Health website for roughly six months.
- 9. TransLink confirms ransomware attack, says payment data secureIn this case, customers were unable to use credit and debit cards at certain vending machines and tap-to-pay fare gates, but TransLink said that payment card data was not compromised. Egregor ransomware was used in this attack.
- 10. Adobe users targeted in dangerous new phishing campaignA new credential capturing phishing attack has been discovered targeting Adobe users. This particular campaign uses an email that purports to be from the non-existent service Adobe Cloud. (As opposed to Adobe Creative Cloud which exists.)
- 11. Ransomware gang says they stole 2 million credit cards from E-LandClop ransomware is claiming to have stolen 2 million credit cards from E-Land Retail over a one-year period ending with last months ransomware attack. E-Land claims no customer data was accessed or exposed in the attack as that data was encrypted on a different server.
- 12. Hackers target groups in COVID-19 vaccine distribution, says IBMIBM is warning companies instrumental in the distribution of COVID-19 vaccines that its "cold chain" process for keeping vaccines at the proper temperature during delivery is being targeted in a global phishing campaign.
- 13. Nuclear weapons agency breached amid massive cyber onslaughtThe Energy Department and National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies. They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE.