Toddler Scientists – PSW #723
This week, we kick off the show with a tech segment walking through the Log4j Vuln, step by step! Then, Dragos Ruiu, creator of Pwn2Own, joins for an interview! In the Security News: Attacking RDP (from the inside), NetUSB exposed, the old mailing USB drives trick, a persisten DoS in your doorLock, Signal gets a new CEO, attacking the patching software, where does that QR code go, we heard you liked cryptominers, Pluton will fix that, and retiring from a jarring career!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
The log4j vulnerability still exists in many environments. Learn how to exploit this vulnerability in our step-by-step guide. Please only use this information for research and testing purposes, and only with permission!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Dragos is the Organizer of CanSecWest, PACSEC, originator of PWN2OWN, and does security auditing, and virtual engagement/training.
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Dragos is the organizer of Canada’s and Japan’s oldest, most technical, information security conferences at CanSecWest and PacSec, for 21 and 17 years respectively. He started out as a computer dinosaur from back when computers used paper tape (P DP11) and along the way has worked on supercomputers used by various government agencies, as well as working on network monitoring systems for HP for 7 years, picking up an Emmy along the way for the MPEG digital video analyzers used for the first HDTV stations. He does security audits for mission critical systems, and has organized infosec conferences in Vancouver, London, Amsterdam, Buenos Aires, and Hong Kong, as well as starting the PWN2OWN competition. More recently since the pandemic he has been focusing on helping conferences pivot their technology and rationalize their systems for virtual on-line formats.
This week in the Security News: Attacking RDP (from the inside), NetUSB exposed, the old mailing USB drives trick, a persistent DoS in your doorLock, Signal gets a new CEO, attacking the patching software, where does that QR code go, we heard you liked cryptominers, Pluton will fix that and retiring from a jarring career, & more!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
We had an absolute blast putting together this year's SW Unlocked virtual event! All presentations are now available on-demand for your viewing pleasure. Please visit https://securityweekly.com/unlocked to register and watch now!
- 1. Widespread, Easily Exploitable Windows RDP Bug Opens Users to Data Theft
- 2. Moxie Marlinspike quits as CEO of Signal - Seems they are getting hammered on this point: "It’s not even that Signal is choosing to tie itself to a specific blockchain currency. It’s that adding a cryptocurrency to an end-to-end encrypted app muddies the morality of the product, and invites all sorts of government investigative and regulatory meddling: by the IRS, the SEC, FinCEN, and probably the FBI." - I don't believe this is why Moxie left, I think he created something truly awesome (and private AND secure) and needs to move on to find another challenge...
- 3. CVE-2021-43326: Automox Agent Privilege Escalation - "Lacework Labs researcher Greg Foss (@35Foss) spent some time analyzing the Automox Windows agent and ultimately discovered a local privilege escalation flaw with a CVSS score of 7.8 (High) due to how the agent handles PowerShell script execution at run-time."
- 4. Is Bluetooth a Cyber Security Liability? – Latest Hacking News
- 5. New macOS vulnerability, “powerdir,” could lead to unauthorized user data access – Microsoft Security Blog
- 6. Wormable Windows HTTP hole – what you need to know
- 7. Bitcoin prices fall to lowest in months after US Fed remarks
- 8. Millions of Routers Exposed to RCE by USB Kernel Bug - What could go wrong? Buffer overflow for one: "The module enables remote devices to connect to routers over IP and access any USB devices (such as printers, speakers, webcams, flash drives and other peripherals) that are plugged into them. This is made possible using the proprietary NetUSB protocol and a Linux kernel driver that launches a server, which makes the USB devices available via the network. For remote users, it’s as if the USB devices are physically plugged into their local systems."
- 9. A Quick CVE-2022-21907 FAQ (work in progress)
- 10. Fake QR Codes on Parking Meters – Schneier on Security - "The QR codes found by Austin police department directed unsuspecting users to a fraudulent website which would ask for payment details with the false promise that their parking session would be paid for. The City of Austin checked its parking meters after being notified of a similar QR code scam by officials in San Antonio. They had discovered over 100 parking meters similarly stickered in late December."
- 11. Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more - "This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards. This could lead to data privacy issues, lateral movement and privilege escalation."
- 12. Who is the Network Access Broker ‘Wazawaka?’ – Krebs on Security
- 13. ‘Wormable’ Flaw Leads January 2022 Patch Tuesday
- 14. Newly Found SysJoker Backdoor Targets Windows, macOS, and Linux OSs
- 15. Norton antivirus installs cryptominer on devices but there is a way out - "According to reports, the cryptocurrency miner was included in the Norton antivirus in June last year to help Norton 360 users earn some extra bucks from their graphics card. The tool is called Norton Crypto, and it mines Ethereum. Users can keep 85% of the cut while the remaining goes to NortonLifeLock."
- 16. Hacking group accidentally infects itself with Remote Access Trojan horse - Oops: "However, it was also discovered that the hacking group had managed to also infect its own development machine, and the RAT had captured the criminals’ own keystrokes alongside screenshots of their own computers."
- 17. Microsoft Windows Defender / Detection Bypass
- 18. Coming to a laptop near you: A new type of security chip from Microsoft - Sounds like a challenge: "Pluton is designed to fix all of that. It’s integrated directly into a CPU die, where it stores crypto keys and other secrets in a walled-off garden that is completely isolated from other system components. Microsoft has said that the data stored there can’t be removed, even when an attacker has installed malware or has full physical possession of the PC."
- 1. ‘90 Day Fiancé’ star retires from selling farts after heart attack scare
- 2. Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more
- 3. Attackers are mailing USB sticks to drop ransomware on victims’ computers
- 4. KCodes NetUSB bug exposes millions of routers to RCE attacks
- 5. Researchers used electromagnetic signals to classify malware infecting IoT devices
- 6. Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification
- 7. doorLock - A persistent denial of service vulnerability affecting iOS 15.2 - iOS 14.7 (and likely through 14.0), triggered via HomeKit
- 8. US Space Force to Launch Project Moonlighter Cybersecurity Satellite – Via Satellite –
- 9. Lights Out: Cyberattacks Shut Down Building Automation Systems
- 1. Apple Releases iOS 15.2.1 and iPadOS 15.2.1 - iOS 15.2.1 and iPadOS 15.2.1 released 1/12/22 address HomeKit vulnerability. (CVE-2022-22588)
- 2. doorLock- Persistent Denial of Service VulnerabilityAffecting iOS 15.2-14.7 - A persistent denial of service vulnerability affecting iOS 15.2 - iOS 14.7 (and likely through 14.0), triggered via HomeKit. That could be triggered by changing a HomeKit device's name to a string longer than 500,000 characters. According to Trevor Spiniolas, who uncovered the flaw, once the string is loaded, iOS and iPadOS will reboot and become unusable.
- 3. Take Immediate Actions to Secure QNAP NAS - Attackers are still targeting NAS devices. QNAP publishes steps to secure their NAS devices. Repeat after me: I solemnly swear not to expose NAS to the Internet.
- 4. QNAP NAS devices hit in surge of ech0raix ransomware attacks - Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt.
- 5. Storage Devices of Major Vendors Impacted by Encryption Software Flaws - Storage devices manufactured by various vendors are reportedly affected by two vulnerabilities (CVE-2021-36750 and CVE-2021-36751) that were uncovered in third-party encryption software used by all the manufactures and could be exploited to conduct brute-force attacks and obtain users' passwords. Potential for brute forcing accounts. Requires local access.
- 6. Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries - Researchers say that after conducting a study of 16 different Uniform Resource Locator (URL) parsing libraries, they found that those libraries contained "inconsistencies and confusions" that could be exploited by attackers to bypass validations and create a variety of attack vectors. Report: https://claroty.com/wp-content/uploads/2022/01/Exploiting-URL-Parsing-Confusion.pdf
- 7. Uber ignores vulnerability that lets you send any email from Uber.com - A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber. The vulnerability is in one of Uber's servers which isn't properly sanitizing input, rather than their email servers.
- 8. Apache Maven Central serves millions of old Log4j versions - Four million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz. Make sure your development and CI processes are using up-to-date libraries. Don't wait to qualify new versions.
- 9. Log4j 2.17.1 out now, fixes new remote code execution bug - Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832. Apache is urging customers to upgrade as soon as possible to prevent exploitation. According to reports, the moderate-severity issue results from a lack of additional controls on JDNI access in Log4j.
- 10. LastPass users warned their master passwords are compromised - Credential stuffing attacks, where credentials are obtained from third-party breachs not relating to Lastpass, result in valid credentials used from unusual locations which are blocked. Use unique passwords and enable MFA...
- 11. T-Mobile says new data breach caused by SIM swap attacks - T-Mobile has been the victim of multiple data breaches over the last four years, users should remain vigilant.
- 12. Photography site Shutterfly is dealing with a ransomware attack – CyberScoop - Shutterfly said on Dec. 26 that it was hit by a ransomware attack that struck portions of its network and interrupted elements of its Groovebook app, Lifetouch and BorrowLenses business, manufacturing operations, and some internal systems.
- 13. Bluetooth reboot of pre-school play phone has privacy flaw - Fisher Price's Bluetooth reboot of pre-school play phone has adult privacy flaw ‘Chatter’ can be bugged thanks to kindergarten-grade security.
- 14. UK minister includes Russia, China among ‘hostile nations’ - U.K. Minister of State Security and Borders Damian Hinds has accused China, Iran, and Russia of conducting disinformation campaigns and of being involved in various ways in terms of spies on the ground, cyber attacks, soldiers on standby, and disinformation operations.
- 15. New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking