ANOM Bust, Ransomware Solutions, NAC, & A PCI Deathmatch! – PSW #698
This week, In the Security News Paul & the crew discuss: Microsoft Patches 6 Zero-Days Under Active Attack, US seizes $2.3 million Colonial Pipeline paid to ransomware attackers, the largest password compilation of all time leaked online with 8.4 billion entries, How to pwn a satellite, One Fastly customer triggered internet meltdown, and I got 99 problems, but my NAC ain't one, and more!
Security Weekly is ecstatic to announce that Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista! Call for presentations & early registration for Security Weekly listeners is open now! Visit securityweekly.com/unlocked to submit your presentation & register for the early registration price before it expires!
- 1. The Workforce Shortage in Cybersecurity Is a Myth - "We don't have a workforce shortage problem. What we have is an automation-in-the-wrong-place problem. It's not about training people to do traditional network security. What we need are mathematical models that meaningfully predict risk and provide pathways to reduce it. This lesson is easily seen in vulnerability management, but it's applicable to other fields. Think of it this way: The typical enterprise network has millions of vulnerabilities. On median, our research found that out of about 500 enterprises, IT teams fix 10% of those vulnerabilities, though some exceptional performers patch 25% on a monthly basis. If companies were to hire enough people to eliminate every vulnerability from their systems, they'd need to at least quadruple their workforce devoted to the task." - I disagree with Michael Roytman on all points. We do have a workforce shortage problem, as there is not enough talent across the board to fill roles IN ALL aspects of cybersecurity. Cybersecurity needs people in IT, development, policy, HR, legal and more. We need a fundamental structure that defines what roles need to be created and curated, then a system to develop talent in those areas. Yes, we need technical people, but more importantly we need people that understand cybersecurity (and that does not mean that your are a technical wizard per se). Also, the entire narrative that there are so many vulnerabilities and we should only focus on the ones that are weaponized does not represent the entire picture. Attackers don't always rely on vulnerabilities and exploits, that ship sailed a long time ago. Successful attacks are about targeted weaknesses. These weaknesses could be people, processes, technologies, or even better a combination of all three. Security is not just about patching your shit (but you must patch your shit). Security is not all about educating your employees (though you should do that too). Its more about building resilient systems and monitoring said resilient systems to enure they are working properly. Patching, configuration management, event monitoring, data security, etc.. are all part of that. You can patch all your shit, okay even patch all your shit that has exploits that are being used, and still get hacked because of authentication, social engineering, the fact that you just installed AD and did nothing else to secure it, configured cloud services and didn't apply any controls, etc...
- 2. Hacking space: How to pwn a satellite - Valid point? - "Speaking of cryptography, it’s not just about using proven technologies, but since your flying metal might be up there for decades, using beginning-of-life cryptography algorithms that are more resistant to quantum cryptographic cracking is a good idea. Large number AES (Advanced Encryption Standard) is quantum resistant, for example, while RSA isn’t."
- 3. Microsoft Patches Six Zero-Day Security Holes – Krebs on Security
- 4. Microsoft Patches 6 Zero-Days Under Active Attack
- 5. How Can You Prevent Ransomware? - This is actually a good article (based on title alone I was ready to shread it). I love this: "So, what is needed, say CIOs, are three things: Good security operations, Good security policy, Good security engineering and testing"
- 6. Hackers can mess with HTTPS connections by sending data to your email server
- 7. One Fastly customer triggered internet meltdown
- 8. Cisco Smart Install Protocol Still Abused in Attacks, 5 Years After First Warning - "Cisco describes Smart Install as a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. Smart Install can be very useful for organizations, but it can also pose a serious security risk." - I actually have never seen Smart installs being used by enterprises, other than to allow people to hack your shit.
- 9. Ransomware has become a cost of doing business – Help Net Security
- 10. GitHub Starts Scanning for Exposed Package Registry Credentials
- 11. Meat giant JBS pays $11m in ransom to resolve cyber-attack
- 12. With Single Factor Authentication You’re One Step Away from Being the Next Colonial Pipeline – Entrust Blog
- 13. Cryptography whizz Phil Zimmermann looks back at 30 years of Pretty Good Privacy - A few thoughts on this: While Phil was not a hardcore mathematician or cryptographer, his application of public-key systems was a notable change in computing history. His first attempt at cipher suite was called "Bass-o-matic" in PGP 1.0, and it was horrible. The article seems to leave this out! TO Phil's credit, he got with actual crypto people and swapped it out in version 2. The fact that we can all use cryptosystems today is amazing when prior to 2001 the US Government was not keen on allowing everyone to encrypt communications.
- 14. Hackers Force Iowa College to Cancel Classes for Four Days
- 15. My Favorite Pentest Tools (Top 15) - This is a great list.
- 16. How the Military Might Expand Its Cyber Skills
- 17. US seizes $2.3 million Colonial Pipeline paid to ransomware attackers
- 18. Vulnerabilities in Weapons Systems – Schneier on Security
- 19. President Biden: Secure the Software Supply Chain
- 20. I got 99 problems but my NAC ain´t one - "Using a transparent bridge. This is the implementation of Skip´s idea, which involves a device that - simply spoken - in a first instance just lets all the traffic traverse it by means of forwarding rules, being totally transparent to the network and all the participants. Next it does some tcpdump magic to sniff traffic like ARP, NetBIOS but also Kerberos, Active Directory, web etc., extracting the needed info to spoof the victim and the networks gateway to stay under the radar. With this info the needed rules in ebtables, iptables etc. are automatically created, and will allow an attacker to interact with the network mimicking the victim."
- 21. Farsight Security DNSDB Transforms for Maltego Enable Threat Hunters to Significantly Expand Cybersecurity Investigations
- 22. Colonial Pipeline hacked with single password leaked on dark web
- 23. Hacktivist Campaign Spreads Manifesto through Router Configuration Files – Lumen
- 1. Australian cops, FBI created backdoored chat app, told crims it was secure – then snooped on 9,000 users’ plots - The FBI was able to trick criminals into using an FBI-developed app, ANoM, to communicate with each other. The app was distributed on phones configured for the purpose of using the app, and starting in 2018, distributed on black markets.
- 2. New Kubernetes malware backdoors clusters via Windows containers - Attackers have been identified leveraging the new "Siloscape" malware for more than a year in attacks designed to compromise Windows containers in order to then compromise Kubernetes nodes and backdoor clusters, which allows them to later abuse the compromised clusters to conduct other malicious attacks.
- 3. WAGO Controller Flaws Can Allow Hackers to Disrupt Industrial Processes - Researchers have uncovered two vulnerabilities (CVE-2021-21000 and CVE-2021-21001) affecting WAGO industrial controllers that could be exploited by attackers to disrupt technological processes, which could result industrial accidents.
- 4. RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries - RockYou2021, the largest password compilation of all time has been leaked on a popular hacker forum, it contains 8.4 billion entries of passwords.
- 5. Justice Dept. Claws Back $2.3M Paid by Colonial Pipeline to Ransomware Gang – Krebs on Security - The U.S. Department of Justice said today it has recovered $2.3 million worth of Bitcoin that Colonial Pipeline paid to ransomware extortionists last month. 63.7 of 75 Bitcoins. DarkSide got 15%, Affiliate got 85% of the 75, this represents the affiliate's share.
- 6. US to give ransomware attacks similar priority as terrorism, official says - DOJ has announced it will prioritize ransomware attacks similar to the way it prioritizes terrorism
- 7. Researchers Warn of Critical Bugs Affecting Realtek Wi-Fi Module - A new set of critical vulnerabilities has been disclosed in the Realtek RTL8170C Wi-Fi module that an adversary could abuse to gain elevated privileges and hijack wireless communications on vulnerable devices.
- 8. UF Health Florida hospitals back to pen and paper after cyberattack - UF Health The Villages Hospital UF Health Central Florida has suffered a reported ransomware attack that forced two hospitals to shut down portions of their IT.
- 9. ALERT: Critical RCE Bug in VMware vCenter Server Under Active Attack - Hackers have been spotted actively scanning the Internet in search of VMware vCenter servers that have not been patched against a critical remote code execution (RCE) vulnerability (CVE-2021-21985) that could be exploited to execute commands on the system hosting the targeted vCenter Server.
- 11. India’s Finance Software Powerhouse NSE Blown By EpsilonRed Ransomware - Financial software maker NSE has disclosed it suffered a ransomware attack during which attackers breached its internal networks and encrypted "essential business data."
- 12. Microsoft June 2021 Patch Tuesday fixes 6 exploited zero-days, 50 flaws - Microsoft's June 2021 Patch Tuesday, comes fixes for seven zero-day vulnerabilities, six of which are known to be exploited, and a total of 50 flaws, so Windows admins will be busy.
- 13. Feds Say Imprisoned Hacker Ran a Drone Smuggling Ring - A San Francisco hacker already serving a 13-year prison term has been charged with using a smuggled cell phone to loot consumer debit card accounts, then channeling the profits into smuggling which used a remotely-piloted drone to drop contraband into the prison yard.