The Hunt for Red October – PSW #690
This week, Lennart Koopmann, the CTO of Graylog, Inc, joins us for an interview to talk about Nzyme, a Free and Open WiFi Defense System. Then, Dutch Schwartz, Principal Security Specialist at Amazon Web Services, joins us for a discussion on the Lessons Learned When Migrating from On Prem to Cloud! In the Security News, Polish blogger sued after revealing security issue in encrypted messenger, The Facebook dump and Have I Been Pwned, Child tweets gibberish from a highly sensitive Twitter account, LinkedIn and more_eggs, APTs targeting Fortinet, SAP Applications Are Under Active Attack again, Is your dishwasher trying to kill you?, Ubiquiti All But Confirms Breach Response Iniquity, Cyber Threat Analysis, 11 Useful Security Tips for AWS and other stuff too, Signal Adds Cryptocurrency Support and Not everyone is a fan, Zoom 0-click exploit, when firmware attacks, attackers blowing up Discord!
Segment Resources:
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Segments
1. nzyme – Free & Open WiFi Defense System – Lennart Koopmann – PSW #690
Nzyme is a new kind of WiFi IDS (WIDS) that detects adversaries by looking at hard to spoof characteristics of an attacker. Existing WIDS tend to look at extremely easy to spoof metadata like channels or BSSIDs. The new approach of nzyme looks at hardware fingerprints and physical attributes like signal strengths. For example, it constantly tries to follow the signal "track" of every WiFi access point in range and alerts once a second track appears because this is most likely someone spoofing the legitimate access point from a different location.
Segment Resources:
Register for Joff's Fun Regular Expressions class here:
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Guest
Lennart founded Graylog as an Open Source project in 2009 to meet the needs of application developers, DevOps, and IT Ops teams. Since that time, he has led the transformation of Graylog into a robust enterprise application and established the company’s product and technology platform as one of the leading centralized log management solutions.
In his free time, he enjoys amateur boxing and working on his free and open WiFi IDS project nzyme.
Hosts
2. Lessons Learned When Migrating from On Prem to Cloud – Dutch Schwartz – PSW #690
Less than 15% of enterprise customers are primarily cloud native. With so many companies still in early stages of cloud migration, what are the key lessons learned from early adopters as well as digitally native companies? What are common mistakes and how can one avoid them?
Register for Joff's Fun Regular Expressions class here:
Announcements
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Guest
Dutch Schwartz has 25 years of experience in technology from startups to five Fortune 500 companies. He’s recognized as a thought leader in cybersecurity and his LinkedIN content had over 130k views in 2020. A sought-after speaker, he’s a frequent panelist and podcast guest on topics including the benefits of cloud security, how to create a culture of security, and how to break into cybersecurity. Having worked with more than 50 CISOs of Fortune 500 companies to create cybersecurity solutions, he understands the evolution of CISO responsibilities and the challenges which security teams face. Dutch holds a Master’s of Business Administration in Global Management and was a strategy and planning officer in the US Army. He melds his formal training with his practical experience in cybersecurity to develop cloud security strategies for customers of Amazon Web Services.
Hosts
3. Facebook Dump, Hacking Your Dishwasher, Zoom 0-Click Exploit, & Ubiquity Response – PSW #690
This week in the Security News, Polish blogger sued after revealing security issue in encrypted messenger, The Facebook dump and Have I Been Pwned, LinkedIn and more_eggs, APTs targeting Fortinet, SAP Applications Are Under Active Attack again, Is your dishwasher trying to kill you?, Ubiquiti All But Confirms Breach Response Iniquity, Cyber Threat Analysis, 11 Useful Security Tips for AWS and other stuff too, Signal Adds Cryptocurrency Support and Not everyone is a fan, Zoom 0-click exploit, when firmware attacks, attackers blowing up Discord.
Register for Joff's Fun Regular Expressions class here:
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Hosts
- 1. What Are The Fundamentals of a Domainless Enterprise? – JumpCloud
- 2. LinkedIn and LOLBINs"a phishing campaign which used job titles scraped from user profiles to convince victims to open and execute evil files and links, which in this case, used an attack tool called more_eggs. The eggy script executes in memory and uses native binaries (“living off the land”) to foil detection efforts."
- 3. Is your dishwasher trying to kill you?There is an interesting balance between physical harm and monetary gain, though they could relate when it comes to IoT security. Poisoning water is one thing, ransomawaring your dishwasher is another thing. Will they intersect?
- 4. Ubiquiti All But Confirms Breach Response Iniquity – Krebs on SecurityNew statements (mostly more hand-waving), Krebs says: "Ubiquiti’s statement largely confirmed the reporting here by not disputing any of the facts raised in the piece. And while it may seem that Ubiquiti is quibbling over whether data was in fact stolen, Adam said Ubiquiti can say there is no evidence that customer information was accessed because Ubiquiti failed to keep logs of who was accessing its databases."
- 5. Zero Trust creator talks about implementation, misconceptions, strategy – Help Net Security
- 6. OpenBSD OpenSMTPD 6.6 Remote Code Execution
- 7. Light Roast 102: Cyber Threat AnalysisThis is an interesting role, curious to see how it's developing. Who monitors assets and threats? What role, if any, should security play in operations?
- 8. Chinese Hackers Selling Intimate Stolen Camera Footage
- 9. Vulnerabilities in ICS-specific backup solution open industrial facilities to attack
- 10. 11 Useful Security Tips for Securing Your AWS EnvironmentFew are actually only relevant to AWS...
- 11. Signal Adds Cryptocurrency Support – Schneier on SecurityNot everyone is a fan: "I think this is an incredibly bad idea. It’s not just the bloating of what was a clean secure communications app. It’s not just that blockchain is just plain stupid. It’s not even that Signal is choosing to tie itself to a specific blockchain currency. It’s that adding a cryptocurrency to an end-to-end encrypted app muddies the morality of the product, and invites all sorts of government investigative and regulatory meddling: by the IRS, the SEC, FinCEN, and probably the FBI."
- 12. $200,000 Awarded for Zero-Click Zoom Exploit at Pwn2OwnUpdate from Zoom: "We thank the Zero Day Initiative for allowing us to sponsor and participate in Pwn2Own Vancouver 2021, an event highlighting the critical and skillful work performed by security researchers. We take security very seriously and greatly appreciate the research from Computest. We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target’s same organizational account. As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center."
- 13. Should firms be more worried about firmware cyber-attacks?"Its survey of 1,000 cyber-security decision makers at enterprises across multiple industries in the UK, US, Germany, Japan and China has revealed that 80% of firms have experienced at least one firmware attack in the past two years. Yet only 29% of security budgets have been allocated to protect firmware." - I actually believe the 29% to be much lower.
- 14. Attackers Blowing Up Discord, Slack with MalwareAll kinds of abuse! "“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” they said. The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network, they added."
- 15. Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks
- 16. Library Dependencies and the Open Source Supply Chain Nightmare“It's a devil's bargain,” Contrast’s co-founder and CTO Jeff Williams told SecurityWeek, “because the farther you get behind, the harder it is to get back up to date. So, you accrue technical debt if you don't keep your libraries patched. But commercial companies are focused on rolling out new features and they don't want to do those library updates if they don't absolutely have to.”
- 17. FBI, CISA warn Fortinet FortiOS vulnerabilities are being actively exploitedShould the NSA help monitor and thwart attacks without the 4th Amendment handcuffs? - "The U.S. Constitution's Fourth Amendment bars the government from domestic surveillance unless a crime is suspected. But in the digital age, these U.S. privacy protections have an unintended consequence. They help hide foreign intelligence agencies that can disguise their tracks and make it appear as if they are operating from inside the U.S."
- 18. After A Major Hack, U.S. Looks To Fix A Cyber ‘Blind Spot’
- 19. ‘Anomalous surge in DNS queries’ knocked Microsoft’s cloud off the web last week
- 20. New vulnerabilities discovered allow access to user data and complete takeover"Web server: allows a remote attacker with access to the web server (default port 8080) to execute arbitrary shell commands, without prior knowledge of the web credentials. DLNA server: allows a remote attacker with access to the DLNA server (default port 8200) to create arbitrary file data on any (non-existing) location, without any prior knowledge or credentials. It can also be elevated to execute arbitrary commands on the remote NAS as well."
- 21. RootMy.TV: Coming soon! (Developer “pre-release” available now!)"TL;DR; If you want root on any* current WebOS LG TV, do not install updates for the time being, and wait patiently. If you're a developer or researcher, read the latest update below."
- 1. Polish blogger sued after revealing security issue in encrypted messenger
- 2. Windows XP makes ransomware gangs work harder for their money
- 3. The Facebook Phone Numbers Are Now Searchable in Have I Been Pwned
- 4. Police say they found mafia fugitive on YouTube, posting cooking tutorials
- 5. Update on campaign targeting security researchers
- 6. Child tweets gibberish from US nuclear-agency account
- 1. Office Depot Configuration Error Exposes One Million RecordsA misconfigured Elasticsearch server has been found exposed online without a password and containing approximately one million records that included customers' PII. Information reportedly included victims' full names, phone numbers, home addresses, office addresses, @members.ebay addresses, marketplace logs, order histories, and hashed passwords.
- 2. New wormable Android malware poses as Netflix to hijack WhatsApp sessionsThe fraudulent FlixOnline" app promised global "unlimited entertainment" and two months of a premium Netflix subscription for free due to the pandemic. Once downloaded, however, the malware 'listens in' on WhatsApp conversations and auto-responds to incoming messages with malicious content. Upon installation, the app asks for overlay permissions -- a common ingredient in the theft of service credentials -- as well as Battery Optimization Ignore, which stops a device from automatically closing down software to save power.
- 3. The DOTGOV Act: Local Cybersecurity a National ImperativeAs the federal .gov program moves under CISA’s jurisdiction, the time is right to ensure more cities and counties transition to a .gov domain and take advantage of being seen as a government entity. Currently, just 10 percent of local governments have a .GOV domain.
- 4. LinkedIn Phishing Ramps Up With More-Targeted AttacksThe spear phishing campaign tries to manipulate LinkedIn users into clicking on a malicious ZIP file that installs a fileless backdoor Trojan known as more_eggs.
- 5. APTs targeting Fortinet, CISA and FBI warnThe FBI and the CISA have issued a joint alert about APT actors scanning on ports 4443, 8443 and 10443 for known vulnerabilities in Fortinet FortiOS SSL VPNs. See also https://www.ic3.gov/Media/News/2021/210402.pdf
- 6. VMware fixes authentication bypass in Carbon Black Cloud Workload applianceVMware has addressed a critical vulnerability, CVE-2021-21982, in the VMware Carbon Black Cloud Workload appliance that could be exploited by attackers by manipulating a URL in the admin interface to bypass authentication.
- 7. 533 Million Facebook Users’ Phone Numbers and Personal Data Leaked OnlinePII belonging to roughly 533 million Facebook users around the world that was initially compromised by exploiting a Facebook vulnerability in 2019 has been leaked on a popular cyber crime forum and made accessible free of charge.
- 8. Clop Ransomware operators plunder US universitiesAccellion FTA used by universities to share information, "Clop" ransomware operators leaked PII and financial data belonging to students and staff stolen from Stanford Medicine, the University of California, and University of Maryland Baltimore (UMB). Range of sites with data published: https://i1.wp.com/securityaffairs.co/wordpress/wp-content/uploads/2021/04/image.png?ssl=1
- 9. Personal data of 30,000 users of NTUC’s e2i training and job matching services may have been breachedJob matching services provided by Singapore's National Trades Union Congress' Employment and Employability Institute (e2i) was breached by attackers. Not clear if leaked, but third-party liability needs to be understood.
- 10. Malware attack on Applus blocked vehicle inspections in some US statesVehicle inspections in eight U.S. states (Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin) were interrupted after provider Applus Technologies suffered a cyber attack on March 30 that forced it to disconnect its IT systems from the Internet to prevent the malware infection from spreading.
- 11. Watch Out! Mission Critical SAP Applications Are Under Active AttackAttackers are now actively targeting unsecured SAP applications in campaigns designed to steal sensitive data and sabotage critical processes. CVE-2020-6287 and CVE-2020-6207 are rated as High-risk due to the potential to gain remote unauthorized system access.
- 12. Hackers From China Target Vietnamese Military and Government"Cycldeck" group has been linked to a cyber espionage campaign that took place between June 2020 and January 2021 and targeted Vietnamese government and military organizations. Likely result of Vietnamese efforts to block China's expansion into the South China Sea.
- 13. EtterSilent maldoc builder used by top cybercriminal gangsEtterSilent includes features that allow it to bypass Microsoft Defender, Windows Antimalware Scan Interface (AMSI), and popular email services, including Gmail. EtterCell documents, created by the EtterSilent builder, are downloader payloads that use Excel 4.0 macro functions to download and execute malicious payloads.
