This week in the Security News: Hackers have found a clever new way to steal your Microsoft 365 credentials, Former Ethereum Developer Virgil Griffith Sentenced to 5+ Years in Prison for North Korea Trip, An update to Raspberry Pi OS Bullseye, Bearded Barbie hackers catfish high ranking Israeli officials, & Nginxday!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
"Another notable feature of the malware is its use of DNS over HTTPS (DoH) for communicating with its command-and-control server ("gw.denonia[.]xyz") by concealing the traffic within encrypted DNS queries." - Also, it doesn't target a weakness in Lamba, but checks for that environment. Original article: https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
"What the judge found most damning, perhaps, was a photo of Griffith presenting at the conference, wearing a traditional North Korean suit and standing in front of a blackboard on which it read “No sanctions!” with a smiley face."
Sounds like what we've been doing with 3rd party tools all along? "Updates are applied to a small initial set of devices, evaluated, and then graduated to increasingly larger sets, with an evaluation period at each progression," Microsoft said. "The outcome is to assure that registered devices are always up to date and disruption to business operations is minimized."
"Up until now, all installs of Raspberry Pi OS have had a default user called “pi”. This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place. But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials."
Strange disclosure: "As Nginx have now released a blog post about the public releases of information, we've emailed them with a description, some familiarities of the issue that they highlighted over and assets affected. However, people are quick to jump on the "This is fake" or "This isn't anything" bandwagon. As we got no answer to if there is any bounty offered by Nginx for the findings, we've not shared any deeper information about this. If there is no bounty or even reward, we've looked at the other option that would be to sell the exploit on either breached.co, exploit.in or other sites. (We've been offered about 200K in XMR for the exploit)." NGINX blog post: https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/
Catphished? "After gaining the trust of the target by interacting with them for a while, the adversaries suggest migrating the conversation to WhatsApp, supposedly for better privacy. This is when the conversation takes an erotic turn, with the threat actors suggesting another pivot to a supposedly more discreet Android IM app, which is actually the VolatileVenom malware. Simultaneously, the operative sends a link to a RAR file that purportedly contains a sexual video, but which in reality is a downloader for the BarbWire backdoor."
Interesting to see how this is exploited: "The log_fdw extension, AWS also notes, is pre-installed in both Aurora PostgreSQL and Amazon RDS for PostgreSQL. A privileged, authenticated user able to trigger the bug could use the leaked credentials to gain elevated access to database resources. “They would not be able to use the credentials to access internal RDS services or move between databases or AWS accounts. The credentials could only be used to access resources associated with the Aurora database cluster from which the credentials were retrieved,” AWS notes."
"According to notes published alongside the release of OpenSSH 9.0, the open-source group will now use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default, a move that includes a backstop against future discoveries of flaws in the NTRU algorithm." - Huh? Some resources: https://ntruprime.cr.yp.to/ and https://cryptography.io/en/latest/hazmat/primitives/asymmetric/x25519/#
Borrowing from Mirai, still.. "This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for cryptomining is a big possibility." Original Source: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
Turn the power off once, shame on you. Let it happen again, shame on me: "In Tuesday's press briefing, SSSCIP's Zhora took the opportunity to argue that the relatively limited damage from Russia's cyber operations represents not merely Russia's lack of focus on cyberwar as it carries out a full-blown physical war, but also Ukraine's growing ability to defend itself in the digital domain. “We have been dealing with an opponent that has been constantly training us, drilling us. Since 2014 we've been under constant aggression, and our expertise is unique in how to rebuff this aggression,” says Zhora. “We're stronger. We're more prepared. And of course, we will secure victory.”"
Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains that were being used by the group as attack infrastructure to hit various Ukrainian institutions and the media.
Malware dubbed "Denonia" being leveraged in attacks targeting the Amazon Web Services' (AWS) Lambda serverless computing platform. Denonia is programmed in the "Go" language and includes a customized "XMRig" cryptocurrency mining variant.
California-based respiratory care provider SuperCare Health recently disclosed a data breach affecting more than 300,000 individuals. Breached 7/23-27/21 disclosed 2/4/22 because of analysis. How long is too long?
The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical subsystems using a new version of the CaddyWiper data destruction malware.
Researchers say they have observed threat actors leveraging a new piece of Windows information-stealing malware dubbed "FFDroider" that is disguised as the Telegram instant messaging app and specifically designed to steal targeted victims' credentials and browser cookies.
According to Symantec, as part of the attacks, Cicada uses a "clean" version of VLS to drop a malicious file with VLC's export functions, which is a technique frequently used by hackers to introduce malware into legitimate software.
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element
This week, Dr. Doug raves about: 'The Orgy of the Walking Dead' or Elon is controlling my brain, Schoolyard Bully, Redigo, DuckLogs, Dod Alphabet soup, Sirius XM, Pixel Tracking, TSA, Single Sign-on rants, and more on the Security Weekly News!
In the enterprise security news, Funding announcements take a bit of a break, We explore a few new vendors and organizations that have come to our attention recently, Wiz researchers annoy yet another cloud service by pointing out ridiculous vulnerabilities - IBM Cloud, this time, Docker Hub has tons of shady stuffs going on, EU strengthens cyberse...