Cyber-Symposiums, Apple Backdoor, Crypto Theft, & “Quadruple Extortion” – PSW #706

Nasty: " “Instead of encrypting files (which could then be decrypted after the target paid the ransom), it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored, providing victims no incentive to pay the ransom.” “One of the more interesting functions of Chaos version 1.0 was its worming function, which allowed it to spread to all drives found on an affected system,” de Jesus wrote. “This could permit the malware to jump onto removable drives and escape from air-gapped systems.”"

Yikes: "For a device in which http:///index.htm requires authentication, an attacker could access index.htm using the following paths: http:///images/..%2findex.htm or http:///js/..%2findex.htm or http:///css/..%2findex.htm" Great article on the details: https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2

Interesting take on this and how it could be abused from a privacy perspective: "This means that if—for instance—a minor using an iPhone without these features turned on sends a photo to another minor who does have the features enabled, they do not receive a notification that iMessage considers their image to be “explicit” or that the recipient’s parent will be notified. The recipient’s parents will be informed of the content without the sender consenting to their involvement. Additionally, once sent or received, the “sexually explicit image” cannot be deleted from the under-13 user’s device."

"Encouraged by these findings, Norman said the Edge team is now working on Super Duper Secure Mode, an Edge configuration where they disable JIT and enable three other security features such as Controlflow-Enforcement Technology (CET) and Arbitrary Code Guard (ACG)—two features that would normally clash with V8’s JIT implementation. As Norman explained, Super Duper Secure Mode is currently classified as an experiment, and there are no plans set in stone to ship it to users just yet."

We've seen this before, very bad: "They impact the DNS client and the HTTP server components of the stack, allowing a remote attacker to execute code on the vulnerable device to take full control over it. To trigger CVE-2020-25928, an attacker would need to send a crafted DNS packet as a response to a DNS query from the vulnerable device, Forescout and JFrog researchers explain in a joint technical report published earlier today."

Trying to re-define end-to-end encryption: "The connection between the Zoom app running on a user's computer or phone and Zoom's server is encrypted in the same way the connection between a web browser and a website is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. In a Zoom meeting utilizing this encryption technology, the video and audio content will stay private from anyone spying on Wi-Fi, but will not stay private from the company or, presumably, anyone with whom the company shares its access voluntarily, by compulsion of law (e.g., at the request of law enforcement), or involuntarily (e.g., a hacker who can infiltrate the company's systems). With true E2E encryption, the encryption keys are generated by the client (customer) devices, and only the participants in the meeting have the ability to decrypt it." as "the encryption keys for each meeting are generated by Zoom's servers, not by the client devices."

I really want to know if a library is accessing my file system and/or communicating with IP addresses on the Internet... This one steals your Discord auth tokens and credit cards stored by your browser...

"Gary DeMercurio and Justin Wynn have filed a civil lawsuit against Dallas County and Sheriff Chad Leonard from an incident that occurred in September 2019 when the two men broke into the Dallas County Courthouse claiming they were hired to do so. The two men worked for cybersecurity advisor Coalfire, which is headquartered in Colorado. "

Using Windows DCE/RPC (TCP port 135) HD and team was able to more accurately fingerprint the Windows OS type and version, in addition to determining if the host has a Wifi adapter and even what type of AV software is running. Amazing research!

We need more power captain: "In a report published last week, Uptycs researchers said they spotted a crypto-mining botnet in June 2021 that was breaching Linux servers, downloading the Linux MSR driver, and then disabling hardware prefetching before installing a version of XMRig, a common app used for cryptocurrency mining by both legitimate users and malware gangs. Uptycs believes the attacker got the idea to disable hardware prefetching after reading the XMRig documentation, where it is claimed that XMRig can gain a 15% speed boost if the feature is disabled."

Why do you need your NAS device on the Internet!?!?

Wow: "In this paper, we identify a new class of optical TEMPEST attacks: recovering sound by analyzing optical emanations from a device’s power indicator LED. We analyze the response of the power indicator LED of various devices to sound and show that there is an optical correlation between the sound that is played by connected speakers and the intensity of their power indicator LED due to the facts that: (1) the power indicator LED of various devices is connected directly to the power line, (2) the intensity of a device's power indicator LED is correlative to the power consumption, and (3) many devices lack a dedicated means of countering this phenomenon."

"1) Encryption: Victims pay to regain access to scrambled data and compromised computer systems that stop working because key files are encrypted. 2) Data Theft: Hackers release sensitive information if a ransom is not paid. 3) DoS: Ransomware gangs launch DoS attacks that shut down a victim’s public websites. 4) Harassment: Cybercriminals contact customers, business partners, employees and media to tell them the organization was hacked."

"Cybercrime intelligence firm Hudson Rock revealed that nearly 2,500 computers of Accenture partners and employees were compromised. Another research firm Cyble tweeted that the attackers stole 6TB of data and have demanded a ransom of $50 million."

A security researcher (@HarioMenkel) has released today a tool named CobaltSpam that can flood Cobalt Strike servers with fake beacons and corrupt their internal databases of infected systems.

A good thread on the outcomes of the MyPillow guy CyberSymposium. Not a political talk.

Accenture got ransomwared...?

Hashcat, why you gotta mess with a good thing?

Poly Network has disclosed that hackers managed to steal more than $600 million USD in Binance Chain, Ethereum, and Polygon cryptocurrency assets and transfer it to attacker-controlled wallets in what is being dubbed as one of the largest DeFi hacks to date.

Guidance from CSA/PCI Security Standards Council on requirements and processes to assess cloud based payment processing systems. What's new is the tools to help the assessment.

Millions of senior citizens in North America have had their personal information compromised following a breach at senior care review website SeniorAdvisor, containing millions of files labeled "leads" and 182GB of personally identifiable information (PII) belonging some three million of its users.

Attackers have been spotted leveraging three chained vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) dubbed "ProxyShell" that, when chained together, can be remotely exploited via the Microsoft Exchange "Client Access Service" (CAS) running in IIS on port 443. According to reports, the ProxyShell vulnerabilities are capable of performing unauthenticated, remote code execution (RCE) against Microsoft Exchange servers.

Cybercriminals quickly started exploiting a vulnerability that affects routers and modems from many vendors that use the same underlying firmware. CVE-2021-20090 associated with Arcadyan firmware found in 19 manufacturer's products - nclude ADB, ASMAX, ASUS, Beeline, BT, Buffalo, Deutsche Telecom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom Argentina, Telmex, Telstra, Telus, Verizon, and Vodafone.

Zimperium has revealed new Android malware said to have compromised the Facebook accounts of more than 10,000 people across 144 countries since March. The company dubbed this malware FlyTrap and said that until recently it was listed on the official Google Play Store.

Thanks Gus for finding this! The downgrade attacks act to undermine a system with “multiple vantage points to multiple nameservers” by reducing it to “multiple vantage points to a single attacker-selected nameserver”. The system is tricked into using a specific nameserver by introducing high latency into connections to other validation nodes. In controlled tests, the researchers found that attackers were able to launch attacks against one in four (24.53%) of domains.