Custom Python Encryption, Shady 0-Days, & The Great iPwn – PSW #679

""What we're really seeing is not people selling vulnerabilities, but selling the access that they obtained using those vulnerabilities," he says. That access is then used to deploy ransomware or malware, create a botnet with the company’s computer system, steal proprietary information, etc. Because of the global COVID-19 pandemic, Sannikov says there's been an important shift toward access-as-a-service where the hacker or hacking group doesn't steal data themselves. He compares it to specialized teams of thieves targeting a house." I interviewed Roman Sannikov, director of cybercrime and underground intelligence at Recorded Future, great dude, well trusted.

"What we're really seeing is not people selling vulnerabilities, but selling the access that they obtained using those vulnerabilities," he says. That access is then used to deploy ransomware or malware, create a botnet with the company’s computer system, steal proprietary information, etc. Because of the global COVID-19 pandemic, Sannikov says there's been an important shift toward access-as-a-service where the hacker or hacking group doesn't steal data themselves. He compares it to specialized teams of thieves targeting a house." - This comes from Roman Sannikov, director of cybercrime and underground intelligence at Recorded Future. I've interviewed Roman in the past, awesome dude, and trust his analysis and research.

“A stack-based buffer overflow vulnerability in FortiWeb may allow an unauthenticated, remote attacker to overwrite the content of the stack and potentially execute arbitrary code by sending a crafted request with a large certname.”

More supply chain: "The issue with Great Suspender appears to have been the use of an open-source analytics package, Open Web Analytics (OWA), in conjunction with remote scripts and a CDN – the concern was that user information was being spirited away."

I read the title and was like "Oh man, this is bad". However, this article is awesome. It walks you through how to create a custom encryption algorithm in Python for your C2, evading detection by not using anything standard that may be picked up by security tools. Two thumbs up!

"Carry-out" is a stretch, supplement is a better term here: "Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks…"

"A cross-site-scripting (XSS) attack is more dangerous if an attacker can jump out of the renderer process and execute code on the user’s computer. Disabling Node.js integration helps prevent an XSS from being escalated into a so-called “Remote Code Execution” (RCE) attack."

Use Google to hack Google! "The idea of the attack is very simple: You grab the mp3 file of the audio reCAPTCHA and you submit it to Google’s own Speech to Text API. Google will return the correct answer in over 97% of all cases."

"The program, conducted by the Defense Digital Service (DDS), is invitation-only, so not everyone can participate, but the Department of Defense does have an ongoing vulnerability disclosure program through which anyone can report security holes at any time in exchange for “thanks.”"

22-page document on Zerologon, good stuff. I can't help but think though, of all the companies breached recently, how many spent a significant amount of time dealing with this issue, but were still breached by some other means? Time better spent on other issues leads to a stronger security posture?

"...investigators appear to be concerned that a poorly secured, improperly configured, or vulnerable TeamCity instance may have helped the attackers plant their malicious code somewhere in the software supply chain. TeamCity, like other software, is regularly patched for vulnerabilities."

Former employees of a competitor provided Ticketmaster with URLs of ticketing web pages and stolen passwords that were used to unlawfully collect business intelligence by repeatedly accessing the competitor’s systems without authorization.

New malware strain that relies on obtaining victims' Basic Service Set Identifier (BSSID) in addition to stealing their IP addresses, and then checking the BSSID against Alexander Mylnikov's free BSSID-to-geo database in order to obtain victims' last geographical locations.

Distributed Denial of Secrets (DDoSecrets) transparency collective published a new data set containing approximately 1TB of data that includes more than 750,000 emails, photos, and documents belonging to five companies. The groups is also reportedly offering to privately share another 1.9TB of data lifted from more than 12 other organizations with academic researchers and/or journalists.

Babuk targets victims using executables customized for each victim that contain a hard-coded extension, ransom note, and a Tor victim URL. Once executed on targeted systems, attackers can use command-line arguments (i.e., lanfirst, lansecond, nolan) to control how the ransomware encrypts network shares and whether to encrypt them before the local file system is encrypted.

American intelligence agencies and private cybersecurity investigators are examining the role of a widely used software company, JetBrains, in the far-reaching Russian hacking of federal agencies, private corporations and United States infrastructure. Hackers allegedly exploited TeamCity to compromise networks.