Ransomware Inc, Cracking Keys With Fermat, Neon Output, & Samsung Source Code – PSW #732
In the Security News: Secret Keys in Samsung Source Code, Conti (tries) to go legit, Cracking crypto keys with a 300 year old algorithm, CISA’s must patch list, FTC fines CafePress over Data Breach, & more!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Hosts
Paul Asadoorian
Principal Security Evangelist at Eclypsium
- 1. Thousands of Secret Keys Found in Leaked Samsung Source Code"GitGuardian’s analysis of the leaked Samsung source code led to the discovery of more than 6,600 secret keys, including private keys, usernames and passwords, AWS keys, Google keys, and GitHub keys." - Yikes.
- 2. Staff Think Conti Group Is a Legit Employer"In short, Conti group considers itself a legitimate company. Many of its employees don’t even know they’re working for a cybercriminal outfit. Some probably choose to look the other way, but the turnover is still high: When they figure it out, they tend to vamoose."
- 3. Google Attempts to Explain Surge in Chrome Zero-Day ExploitationThis could be a major factor: "Another reason for Chrome being increasingly targeted is related to the deprecation of Flash, as well as the web browser’s popularity. Specifically, threat actors often exploited Adobe Flash vulnerabilities in web attacks before the software was killed off, and now they are focusing more on the browser itself. "
- 4. Researcher uses Dirty Pipe exploit to fully root a Pixel 6 Pro and Samsung S22"It's exciting because most Linux kernel vulnerabilities are not going to be useful to exploit Android," Valentina Palmiotti, lead security researcher at security firm Grapl, said in an interview. The exploit "is notable because there have only been a few public Android LPEs in recent years (compare that to iOS where there have been so many). Though, because it only works on 5.8 kernels and up, it's limited to the two devices we saw in the demo."
- 5. CISA Adds 14 Windows Vulnerabilities to ‘Must-Patch’ ListBegs the question, how is, or should, this be shaping vulnerability management?
- 6. New “B1txor20” Linux Botnet Uses DNS Tunnel and Exploits Log4J FlawThis should be pretty easy to spot if you are looking at your DNS traffic: "Bot sends the stolen sensitive information, command execution results, and any other information that needs to be delivered, after hiding it using specific encoding techniques, to C2 as a DNS request; After receiving the request, C2 sends the payload to the Bot side as a response to the DNS request. In this way, Bot and C2 achieve communication with the help of DNS protocol."
- 7. Severe Vulnerability Patched in CRI-O Container Engine for Kubernetes
- 8. Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA ProtocolsI mean use MFA, but then there is this: "The actors also modified a domain controller file, c:windowssystem32driversetchosts, redirecting Duo MFA calls to localhost instead of the Duo server [T1556]. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. Note: “fail open” can happen to any MFA implementation and is not exclusive to Duo."
- 9. Largest-ever cyberattack on Israel takes down government sites
- 10. Building Password Purgatory with Cloudflare Pages and WorkersThis is amazing: "The idea of the Password Purgatory service is that it's an API designed to take a password, find something wrong with it and send that back in the response. It'll start out gentle (for example, minimum length) and get increasingly bizarre. A separate service will log each attempt the spammer makes to satisfy the inane criteria and once they've finally given up in agony (fingers crossed), I'll share the results publicly. " - Also, really neat walkthrough of the development process and architecture, love it, learned some things.
- 11. FTC to fine CafePress for cover up of massive data breachThis is good, right? "The U.S. Federal Trade Commission (FTC) wants to slap the former owner of the CafePress custom t-shirt and merchandise site with a $500,000 fine for failing to secure its users' data and attempting to cover up a significant data breach impacting millions."
- 12. Researcher uses 379-year-old algorithm to crack crypto keys found in the wildWho said we wouldn't use Math in daily life: "Cryptographers have long known that RSA keys that are generated with primes that are too close together can be trivially broken with Fermat's factorization method. French mathematician Pierre de Fermat first described this method in 1643. Fermat's algorithm was based on the fact that any odd number can be expressed as the difference between two squares. When the factors are near the root of the number, they can be calculated easily and quickly. The method isn't feasible when factors are truly random and hence far apart."
Doug White
Professor at Roger Williams University
Lee Neely
Senior Cyber Advisor at Lawrence Livermore National Laboratory
- 1. US spy agency probes sabotage of satellite internetWestern intelligence agencies are investigating a cyber attack by unidentified hackers that disrupted broadband satellite internet access in Ukraine. The attack reportedly began on Feb. 24 as Russian forces began attacking major Ukrainian cities, including Kyiv.
- 2. Denso’s German network hit by cyberattackToyota revealed that a second parts supplier, Kariya, Aichi, Japan-based Denso Automotive Deutschland GmbH, was hit by a ransomware attack during which attackers gained unauthorized access to its systems. According to reports, the attack was allegedly conducted by the "Pandora" cyber crime gang.
- 3. Anonymous sent a message to Russians: “remove Putin”Anonymous has published a new message for Russian citizens inviting them to remove Putin that is sacrificing them and killing Ukrainians.
- 4. Exclusive: Ukraine has started using Clearview AI’s facial recognition during warUkraine's defense ministry on Saturday began using Clearview AI’s facial recognition technology, which offered to reveal Russian attackers, counter misinformation campaigns, and identify those killed during the invasion.
- 5. CISA updates Conti ransomware alert with nearly 100 domain namesCISA Alert AA21-265A adds 100 new domains for Conti IOCs. Conti is one of the most successful ransomware groups who possess linkage to Russia’s intelligence agency apparatus. CISA Alert: https://www.cisa.gov/uscert/ncas/alerts/aa21-265a
- 6. Exclusive: Ukraine halts half of world’s neon output for chipsUkraine's two leading suppliers of neon, which produce about half the world's supply of the key ingredient for making chips, have halted their operations as Moscow has sharpened its attack on the country, threatening to raise prices and aggravate the semiconductor shortage.
- 7. Germany warns against using Kaspersky software, citing ‘considerable’ cyber risk after Russia’s invasionGermany’s Federal Office for Information Security (comparable to our country’s CISA) has issued a stern warning about a popular antivirus software application. Russian antivirus company Kaspersky has been one of the world’s most popular antivirus applications for a long time.
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element