Ransomware Inc, Cracking Keys With Fermat, Neon Output, & Samsung Source Code – PSW #732

"GitGuardian’s analysis of the leaked Samsung source code led to the discovery of more than 6,600 secret keys, including private keys, usernames and passwords, AWS keys, Google keys, and GitHub keys." - Yikes.

"In short, Conti group considers itself a legitimate company. Many of its employees don’t even know they’re working for a cybercriminal outfit. Some probably choose to look the other way, but the turnover is still high: When they figure it out, they tend to vamoose."

This could be a major factor: "Another reason for Chrome being increasingly targeted is related to the deprecation of Flash, as well as the web browser’s popularity. Specifically, threat actors often exploited Adobe Flash vulnerabilities in web attacks before the software was killed off, and now they are focusing more on the browser itself. "

"It's exciting because most Linux kernel vulnerabilities are not going to be useful to exploit Android," Valentina Palmiotti, lead security researcher at security firm Grapl, said in an interview. The exploit "is notable because there have only been a few public Android LPEs in recent years (compare that to iOS where there have been so many). Though, because it only works on 5.8 kernels and up, it's limited to the two devices we saw in the demo."

Begs the question, how is, or should, this be shaping vulnerability management?

This should be pretty easy to spot if you are looking at your DNS traffic: "Bot sends the stolen sensitive information, command execution results, and any other information that needs to be delivered, after hiding it using specific encoding techniques, to C2 as a DNS request; After receiving the request, C2 sends the payload to the Bot side as a response to the DNS request. In this way, Bot and C2 achieve communication with the help of DNS protocol."

I mean use MFA, but then there is this: "The actors also modified a domain controller file, c:windowssystem32driversetchosts, redirecting Duo MFA calls to localhost instead of the Duo server [T1556]. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. Note: “fail open” can happen to any MFA implementation and is not exclusive to Duo."

This is amazing: "The idea of the Password Purgatory service is that it's an API designed to take a password, find something wrong with it and send that back in the response. It'll start out gentle (for example, minimum length) and get increasingly bizarre. A separate service will log each attempt the spammer makes to satisfy the inane criteria and once they've finally given up in agony (fingers crossed), I'll share the results publicly. " - Also, really neat walkthrough of the development process and architecture, love it, learned some things.

This is good, right? "The U.S. Federal Trade Commission (FTC) wants to slap the former owner of the CafePress custom t-shirt and merchandise site with a $500,000 fine for failing to secure its users' data and attempting to cover up a significant data breach impacting millions."

Who said we wouldn't use Math in daily life: "Cryptographers have long known that RSA keys that are generated with primes that are too close together can be trivially broken with Fermat's factorization method. French mathematician Pierre de Fermat first described this method in 1643. Fermat's algorithm was based on the fact that any odd number can be expressed as the difference between two squares. When the factors are near the root of the number, they can be calculated easily and quickly. The method isn't feasible when factors are truly random and hence far apart."

Western intelligence agencies are investigating a cyber attack by unidentified hackers that disrupted broadband satellite internet access in Ukraine. The attack reportedly began on Feb. 24 as Russian forces began attacking major Ukrainian cities, including Kyiv.

Toyota revealed that a second parts supplier, Kariya, Aichi, Japan-based Denso Automotive Deutschland GmbH, was hit by a ransomware attack during which attackers gained unauthorized access to its systems. According to reports, the attack was allegedly conducted by the "Pandora" cyber crime gang.

Anonymous has published a new message for Russian citizens inviting them to remove Putin that is sacrificing them and killing Ukrainians.

Ukraine's defense ministry on Saturday began using Clearview AI’s facial recognition technology, which offered to reveal Russian attackers, counter misinformation campaigns, and identify those killed during the invasion.

CISA Alert AA21-265A adds 100 new domains for Conti IOCs. Conti is one of the most successful ransomware groups who possess linkage to Russia’s intelligence agency apparatus. CISA Alert: https://www.cisa.gov/uscert/ncas/alerts/aa21-265a

Ukraine's two leading suppliers of neon, which produce about half the world's supply of the key ingredient for making chips, have halted their operations as Moscow has sharpened its attack on the country, threatening to raise prices and aggravate the semiconductor shortage.

Germany’s Federal Office for Information Security (comparable to our country’s CISA) has issued a stern warning about a popular antivirus software application. Russian antivirus company Kaspersky has been one of the world’s most popular antivirus applications for a long time.