The Magic Fix – PSW #709

Announcements

• Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Hosts

Paul Asadoorian

Founder at Security Weekly

0offset

https://securityweekly.com

Jeff Man

Sr. InfoSec Consultant – Online Business Systems at Online Business Sytems

https://www.obsglobal.com/

Lee Neely

Information Assurance APL at Lawrence Livermore National Laboratory

Announcements

• InfoSec World 2021 is proud to announce its keynote lineup for this year’s event! Hear from Robert Herjavec plus heads of security at the NFL, TikTok, U.S. Department of Homeland Security, Stanford University, and more… Plus, Security Weekly listeners save 20% on Digital Pass registration! Visit https://securityweekly.com/isw2021 to register now!

• Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Paul Asadoorian

Founder at Security Weekly

0offset

https://securityweekly.com

1. 1. Bluetooth Bugs Open Billions of Devices to DoS, Code Execution
2. 2. NPM package with 3 million weekly downloads had a severe vulnerability
3. 3. Superhero Loki Lurks Like a Zero-Day Threat
   Does the "TVA is just like a SoC" analogy hold up?
4. 4. The ‘Unhackable’ Wii Mini Has Been Hacked
5. 5. How to Secure your AWS infrastructure?
6. 6. Confluence Server 7.12.4 OGNL Injection Remote Code Execution
7. 7. Israeli Foreign Minister Promises Closer Look at NSO
   Darknet Diaries has a great episode with details on this (though despite amazing effort, was not able to interview NSO, which speaks volumes): "NSO has come under widespread criticism over reports that its flagship spyware product, Pegasus, has been misused by governments to spy on dissidents, journalists, human rights workers and possibly even heads of state. Pegasus is able to stealthily infiltrate a target’s mobile phone, giving users access to data, email, contacts and even their cameras and microphones."
8. 8. Beginners Guide to Azure Sentinel
9. 9. It’s time to create a TJ Hooper for information security
   "Many companies have a prevailing practice regarding information security — that they need to do only the bare minimum to get by. They do that while millions of consumer records are breached weekly."
10. 10. A deep-dive into the SolarWinds Serv-U SSH vulnerability
11. 11. Pwned! The home security system that can be hacked with your email address
12. 12. Security Researcher Develops Lightning Cable With Hidden Chip to Steal Passwords
13. 13. SANS Technology Institute Selects Ed Skoudis As Its New President
    Congrats Ed!
14. 14. Widespread credential phishing campaign abuses open redirector links
15. 15. Authentication Bypass Vulnerability In Exchange Server – CyberWorkx
16. 16. Cyberhack Hides Malicious Code in Your Graphics Card’s VRAM
17. 17. A popular smart home security system can be remotely disarmed, researchers say – TechCrunch
    "If a malicious actor knows a user’s email address, they can use it to query the cloud-based API to return an International Mobile Equipment Identity (IMEI) number, which appears to also serve as the device's serial number." - And with the email and the IMEI, you can use the API to disarm the system. Also, I feel like this is 20-years-ago behavior from a vendor: "Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting. Fortress owner Michael Hofeditz opened but did not respond to several emails sent by TechCrunch with an email open tracker. An email from Bottone Reiling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory,” but did not provide specifics that it claims are false, or if Fortress has mitigated the vulnerabilities."
18. 18. Does a USB drive get heavier as you store more files on it?
    Actually...
19. 19. CISA: Don’t use single-factor auth on Internet-exposed systems
    "The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet. "
20. 20. HPE Warns Sudo Bug Gives Attackers Root Privileges to Aruba Platform
    And they are just either discovering or disclosing this now? SBOM anyone? - "The Aruba AirWave management platform is HPE’s real-time monitoring and security alert system for wired and wireless infrastructures. The Sudo bug (CVE-2021-3156) was reported in January by Qualys researchers and is believed to impact millions of endpoint devices and systems."
21. 21. Hacker Claims Honda And Acura Vehicles Vulnerable To Simple Replay Attack
    " The crux of the allegations are that simply recording signals from a Honda or Acura keyfob is enough to compromise the vehicle. Reportedly, no rolling code system is implemented and commands can easily be replayed."
22. 22. When you finish celebrating Linux turning 30, try new Linux 5.14, says Linus Torvalds
    Interesting, we seem to be really destroying the basic concepts of permissions and rings: "memfd_secret lets applications create an area of memory that only that application can access. Not even the kernel can access the designated area of memory. Which matters, because Spectre and Meltdown meant cached data could be accessed. memfd_secret is designed to provide a safe place for secrets like cryptographic keys or passwords to reside."
23. 23. Florida Woman Convicted Of Damaging Her Former Employer’s Computers After She Was Fired
    Yikes: "While she was being terminated, and just before she was escorted from the building, CALONGE was observed by two employees of Employee-1 repeatedly hitting the delete key on her desktop computer. Several hours later, CALONGE logged into a system (“System-1”) used by Employer?1 to receive and manage applications for employment with the company, which the company had invested two years and over $100,000 to build. During the next two days, CALONGE rampaged through System-1, deleting over 17,000 job applications and resumes, and leaving messages with profanities inside the system."
24. 24. ChaosDB: Unauthorized Privileged Access to Microsoft Azure Cosmos DB
    "By exploiting a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, a malicious actor can query information about the target Cosmos DB Jupyter Notebook. By doing so, the attacker will obtain a set of credentials related to the target Cosmos DB account, the Jupyter Notebook compute, and the Jupyter Notebook Storage account, including the Primary Key. Using these credentials, it is possible to view, modify, and delete data in the target Cosmos DB account via multiple channels. Below is a diagram that illustrates the attack."

Jeff Man

Sr. InfoSec Consultant – Online Business Systems at Online Business Sytems

https://www.obsglobal.com/

Lee Neely

Information Assurance APL at Lawrence Livermore National Laboratory

1. 1. Fired NY credit union employee nukes 21GB of data in revenge
   Juliana Barile, the former employee of a New York credit union, pleaded guilty to accessing the financial institution's computer systems without authorization and destroying over 21 gigabytes of data in revenge 40 minutes after being fired.
2. 2. 91% of Industrial Organizations Can Be Penetrated by Hackers
   More than nine in 10 (91%) industrial organizations are vulnerable to cyber-attacks, according to a new report by Positive Technologies. Their penetration testers gained access to the technological segment of the network of 75% of organizations. This then enabled them to access industrial control systems (ICS) in 56% of cases. Report: https://www.ptsecurity.com/ww-en/analytics/ics-risks-2021/
3. 3. Leaked Guntrader firearms data file shared. Worst case scenario? Criminals plot UK gun owners’ home addresses in Google Earth
   The names and home addresses of 111,000 British firearm owners have been dumped online as a Google Earth-compatible CSV file that pinpoints domestic homes as likely firearm storage locations – a worst-case scenario for victims of the breach.
4. 4. QNAP works on patches for OpenSSL bugs impacting its NAS devices
   Network-attached storage (NAS) maker QNAP is investigating and working on security updates to address remote code execution (RCE) and denial-of-service (DoS). Synology customers also still waiting on updates.
5. 5. Microsoft Exchange ProxyToken bug can let hackers steal user email
   Technical details have emerged on a serious vulnerability in Microsoft Exchange Server dubbed ProxyToken that does not require authentication to access emails. Tracked as CVE-2021-33766, ProxyToken gives unauthenticated attackers access to the configuration options of user mailboxes, where they can define an email forwarding rule. Fixed in July CU and SA updates.
6. 6. ARM China Seizes IP, Relaunches as an ‘Independent’ Company – ExtremeTech
   The onetime CEO of ARM China, Allen Wu, has reportedly seized control of ARM’s Chinese business venture, ARM China. Mr. Wu is accused of attempting to launch his own company, Alphatecture, by leveraging his position at ARM China to do so.
7. 7. Critical F5 bug could lead to wide range of security vulnerabilities
   F5 has fixed more than a dozen high-severity security vulnerabilities in its networking device, with one of them being elevated to critical severity and CVSS score of 9.9 under specific conditions. All vulnerabilities are part of this month’s delivery of security updates, addressing almost 30 vulnerabilities for multiple F5 devices.
8. 8. Hackers release Belarus data in bid to topple Lukashenko
   Opponents of the Belarus government said they have pulled off an audacious hack that has compromised dozens of police and interior ministry databases as part of a broad effort to overthrow President Alexander Lukashenko's regime.
9. 9. Earth Baku (APT41) Active Target Victims in Indo-Pacific Region
   Trend Micro has uncovered a cyberespionage campaign by Earth Baku, or APT41, against organizations in the Indo-Pacific region. The campaign has been continuing since July 2020.
10. 10. Microsoft Tracks Widespread Credential Phishing Campaign
    Microsoft has been tracking a widespread credential phishing campaign using open redirector links combined with social engineering lures that spoof known productivity tools to trick users. Attackers also use a CAPTCHA verification page to add a sense of legitimacy to the campaign.
11. 11. Microsoft warns Azure customers of critical Cosmos DB vulnerability
    Microsoft has warned thousands of Azure customers that a now-fixed critical vulnerability found in Cosmos DB allowed any user to remotely take over other users' databases by giving them full admin access without requiring authorization. Microsoft advises users to regenerate their Cosmos DB primary keys, and leverage a vNET or firewall to further protect their Cosmos DB Accounts.
12. 12. Chinese National Pleads Guilty to Illegal Exports to Northwestern Polytechnical University
    A Chinese national pleaded guilty today in federal court in Boston in connection with illegally procuring and causing the illegal export of $100,000 worth of U.S. origin goods to Northwestern Polytechnical University (NWPU), a Chinese military university that is heavily involved in military research and works closely with the People’s Liberation Army on the advancement of its military capabilities.

Tyler Robinson

Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

trob#6466

http://darkelement.io/

Sponsored By

Announcements

• In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.

Guest

Benjamin Daniel Mussler

Senior Security Researcher at Acunetix

http://acunetix.com/

Web Application Security Researcher at Acunetix

Hosts

Paul Asadoorian

Founder at Security Weekly

0offset

https://securityweekly.com

Doug White

Professor at Roger Williams University

https://securedigitallife.com/

Lee Neely

Information Assurance APL at Lawrence Livermore National Laboratory