Custom Python Encryption, Shady 0-Days, & The Great iPwn – PSW #679
In the Security News, Nissan Source code leaked, how the shady 0-Day sales game is evolving, Hack the Army 3.0 announced, creating your own custom encryption in python, FBI warns of swatting attacks targeting your smart device, & the rise of Uncaptcha3!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
- 1. Telecommunication Use Cases
- 2. How the Shady Zero-Day Sales Game Is Evolving""What we're really seeing is not people selling vulnerabilities, but selling the access that they obtained using those vulnerabilities," he says. That access is then used to deploy ransomware or malware, create a botnet with the company’s computer system, steal proprietary information, etc. Because of the global COVID-19 pandemic, Sannikov says there's been an important shift toward access-as-a-service where the hacker or hacking group doesn't steal data themselves. He compares it to specialized teams of thieves targeting a house." I interviewed Roman Sannikov, director of cybercrime and underground intelligence at Recorded Future, great dude, well trusted.
- 3. Nvidia Warns Windows Gamers of High-Severity Graphics Driver Flaws"What we're really seeing is not people selling vulnerabilities, but selling the access that they obtained using those vulnerabilities," he says. That access is then used to deploy ransomware or malware, create a botnet with the company’s computer system, steal proprietary information, etc. Because of the global COVID-19 pandemic, Sannikov says there's been an important shift toward access-as-a-service where the hacker or hacking group doesn't steal data themselves. He compares it to specialized teams of thieves targeting a house." - This comes from Roman Sannikov, director of cybercrime and underground intelligence at Recorded Future. I've interviewed Roman in the past, awesome dude, and trust his analysis and research.
- 4. Multiple flaws in Fortinet FortiWeb WAF could allow corporate networks to hack“A stack-based buffer overflow vulnerability in FortiWeb may allow an unauthenticated, remote attacker to overwrite the content of the stack and potentially execute arbitrary code by sending a crafted request with a large certname.”
- 5. What happens when a Chrome extension with 2m+ users changes hands, raises red flags, doesn’t document updates? Let’s find outMore supply chain: "The issue with Great Suspender appears to have been the use of an open-source analytics package, Open Web Analytics (OWA), in conjunction with remote scripts and a CDN – the concern was that user information was being spirited away."
- 6. Create Your Own Custom Encryption in PythonI read the title and was like "Oh man, this is bad". However, this article is awesome. It walks you through how to create a custom encryption algorithm in Python for your C2, evading detection by not using anything standard that may be picked up by security tools. Two thumbs up!
- 7. FBI Warns Users Of Swatting Attacks By Hacking Smart Devices"Carry-out" is a stretch, supplement is a better term here: "Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks…"
- 8. Remote Code Execution Through Cross-Site Scripting In Electron"A cross-site-scripting (XSS) attack is more dangerous if an attacker can jump out of the renderer process and execute code on the user’s computer. Disabling Node.js integration helps prevent an XSS from being escalated into a so-called “Remote Code Execution” (RCE) attack."
- 9. unCAPTCHA3 evades Google Audio reCAPTCHA with Speech-to-Text APIUse Google to hack Google! "The idea of the attack is very simple: You grab the mp3 file of the audio reCAPTCHA and you submit it to Google’s own Speech to Text API. Google will return the correct answer in over 97% of all cases."
- 10. The dilemma of Wi-Fi DFS Channels
- 11. U.S. Government Announces ‘Hack the Army 3.0’ Bug Bounty Program"The program, conducted by the Defense Digital Service (DDS), is invitation-only, so not everyone can participate, but the Department of Defense does have an ongoing vulnerability disclosure program through which anyone can report security holes at any time in exchange for “thanks.”"
- 12. Understanding And Exploiting Zerologon22-page document on Zerologon, good stuff. I can't help but think though, of all the companies breached recently, how many spent a significant amount of time dealing with this issue, but were still breached by some other means? Time better spent on other issues leads to a stronger security posture?
- 13. JetBrains’ build automation software eyed as possible enabler of SolarWinds hack"...investigators appear to be concerned that a poorly secured, improperly configured, or vulnerable TeamCity instance may have helped the attackers plant their malicious code somewhere in the software supply chain. TeamCity, like other software, is regularly patched for vulnerabilities."
- 1. Nissan Source Code Leaked Online After Git Repo Misconfiguration – Slashdot
- 2. Widely Used Software Company May Be Entry Point for Huge U.S. Hacking
- 3. Attacks targeting healthcare organizations spike globally as COVID-19 cases rise again – Check Point Software
- 4. 81,000 UK-owned .eu domains suspended as Brexit transition ends
- 5. Telegram Triangulation Pinpoints Users’ Exact Locations
- 6. DHS Looking Into Cyber Risk from TCL Smart TVs
- 7. Let’s Encrypt comes up with workaround for abandonware Android devices
- 8. The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit – The Citizen Lab
- 1. Ticketmaster fined $10 million for breaking into rival’s systemsFormer employees of a competitor provided Ticketmaster with URLs of ticketing web pages and stolen passwords that were used to unlawfully collect business intelligence by repeatedly accessing the competitor’s systems without authorization.
- 2. Malware uses WiFi BSSID for victim identificationNew malware strain that relies on obtaining victims' Basic Service Set Identifier (BSSID) in addition to stealing their IP addresses, and then checking the BSSID against Alexander Mylnikov's free BSSID-to-geo database in order to obtain victims' last geographical locations.
- 3. Activists Publish a Vast Trove of Ransomware Victims’ DataDistributed Denial of Secrets (DDoSecrets) transparency collective published a new data set containing approximately 1TB of data that includes more than 750,000 emails, photos, and documents belonging to five companies. The groups is also reportedly offering to privately share another 1.9TB of data lifted from more than 12 other organizations with academic researchers and/or journalists.
- 4. Babuk Locker is the first new enterprise ransomware of 2021Babuk targets victims using executables customized for each victim that contain a hard-coded extension, ransom note, and a Tor victim URL. Once executed on targeted systems, attackers can use command-line arguments (i.e., lanfirst, lansecond, nolan) to control how the ransomware encrypts network shares and whether to encrypt them before the local file system is encrypted.
- 5. Russian Software Company May Be Entry Point for Huge U.S. HackAmerican intelligence agencies and private cybersecurity investigators are examining the role of a widely used software company, JetBrains, in the far-reaching Russian hacking of federal agencies, private corporations and United States infrastructure. Hackers allegedly exploited TeamCity to compromise networks.