DOOM Exploit, iPhone Deep Fakes, & 11 0-Days Infect Devices – PSW #688
This week in the Security News: Doom exploit wins an award, a puzzle honors Alan Turing, anyone can create a deepfake, Jabber bugs, unquoted service paths, Nim malware, Deadly sins of secure coding, & are we living in the toughest time of Cybersecurity?
Register to attend Joff Thyer's upcoming Wild West Hacking Fest course "Enterprise Attacker Emulation and C2 Implant Development": http://bit.ly/JoffsC2Class
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
- 1. Arbitrary code execution in DOOMFrom the Git repo: "This example only works in version 1.9 The Ultimate Doom. That is, no Doom2, no The Final Doom or Anthology. (Why is there so many different 1.9 versions?)" - This is super cool, I don't remember enough about DoS-based Doom games, but it's cool. It won an award, yes, they have a Doom hack award thing. I never knew that was a thing, but I also think it's really cool! Awards: https://www.doomworld.com/cacowards/2020/others/ (Machaward - Most creative, unusual, or artistically compelling project of the year: Arbitrary Code Execution - @kgsws)
- 2. CISA releases CHIRP, a tool to detect SolarWinds malicious activity"Similar to Sparrow, CHIRP scans for signs of APT compromise within an on-premises environment, by default it searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A alerts. The CHIRP tool allows to examine Windows event logs for artifacts associated with this activity, Windows Registry for evidence of intrusion, query Windows network artifacts, and apply YARA rules to detect malware, backdoors, or implants."
- 3. Critical Cisco Jabber Bug Could Let Attackers Hack Remote Systems"CVE-2021-1411, which concerns an arbitrary program execution vulnerability in its Windows app, is also the most critical, with a CVSS score of 9.9 out of a maximum of 10. According to Cisco, the flaw is due to improper validation of message content, thus making it possible for an attacker to send specially-crafted XMPP messages to the vulnerable client and execute arbitrary code with the same privileges as that of the user account running the software."
- 4. Ext2Fsd v0.68 – ‘Ext2Srv’ Unquoted Service PathI would think MS Defender could catch these? https://www.commonexploits.com/unquoted-service-paths/
- 5. Review: OpenBSD 6.8 on 8th Gen Lenovo ThinkPad X1 Carbon 13.3″This is pretty brave: "10 days ago, I bought this X1 Carbon. I immediately installed OpenBSD on it. It took me a few days to settle in and make myself at home, but here are my impressions."
- 7. Mozilla Firefox 87 Out With New Default Referrer Policy For More Privacy"Starting with Firefox 87, we set the default Referrer Policy to ‘strict-origin-when-cross-origin’ which will trim user sensitive information accessible in the URL. As illustrated in the example above, this new stricter referrer policy will not only trim information for requests going from HTTPS to HTTP but will also trim path and query information for all cross-origin requests. With that update, Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience. Attribution link: https://latesthackingnews.com/2021/03/24/mozilla-firefox-87-out-with-new-default-referrer-policy-for-more-privacy/"
- 8. Hackers Exploit Telegram API For Server-Side Data Exfiltration"The researchers caught the malicious code running on the login page (wp-login.php) of a WordPress website. This placement allowed the attackers to steal the users’ credentials directly. In the case of admins, such data theft directly leads to website takeover." and "The attacker uses file_get_contents to make their remote request to Telegram’s API URL, allowing them to transmit the stolen data without leaving much evidence of the exfiltration on the server. Adding this feature also allows the attacker to access the stolen data in real-time, instead of having to check a text file for any captured information/."
- 9. Microsoft Exchange ProxyLogon Remote Code ExecutionAnd now there's a Metasploit module/exploit...
- 10. Deadly Sins of Secure Coding"Gluttony — We’ve implemented our own framework. It’s really hard to attack, Relying on Assumptions & Happy Paths — It’s an edge case, Obscurity — How will they know, to attack here?, Blame — It’s your fault!"
- 11. State prosecutors push Facebook, Twitter to do more to slow virus misinformation"Bad actors and grifters have been spreading misinformation about vaccines on social media, including on Facebook and Twitter, for years. Some of the most infamous purveyors of vaccine and infectious diseases misinformation have been Russian government-backed trolls linked to the Internet Research Agency (IRA), the same entity that U.S. officials have said interfered in the 2016 presidential election."
- 12. The Toughest Time of Cybersecurity"When considering cybersecurity, we need to understand it operates according to a different set of rules than the physical world. We keep distance, set borders as physical security controls. But in cyberspace, the concepts like distance, borders, and proximity all operate differently, which has profound security implications." "One thing in common between SUNBURSTS and the recent zero-day attacks on Microsoft Exchange is that they are both found to have been state-sponsored. " and then alert fatigue and skill shortage = bad news for cybersecurity.
- 13. Hackers used 11 Zero-Days to Attack Windows, iOS, Android UsersWhat were they after? Something good in order to burn 11 0days. "Malware trackers at Google keep on pointing out a complex APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and gadgets. The group has effectively utilized "watering hole" assaults to divert explicit targets to a couple of exploit servers conveying malware on Windows, iOS, and Android gadgets."
- 14. The most common on premises vulnerabilities & misconfigurations"In this blog post I’m gonna cover the in my opinion most common findings in a Windows Active Directory environment, which can be found and abused for Privilege Escalation and Lateral Movement in such a project. It’s about on premises vulnerabilities and misconfigurations in an internal company environment as well as mitigations."
- 1. Perspective: Anyone with an iPhone can make deep fakes
- 2. Researchers design an AI-powered backpack for the visually impaired
- 3. Microsoft: Ongoing, Expanding Campaign Bypassing Phishing Protections
- 4. Microsoft Offers Up to $30,000 for Vulnerabilities in Teams Desktop Client
- 5. Office 365 Cyberattack Lands Disgruntled IT Contractor in Jail
- 1. GCHQ releases ‘most difficult puzzle ever’ in honour of Alan Turing12 riddles linked to new £50 note featuring the codebreaker may take seven hours to crack.
- 2. Vulnerability Management Is Still a MessA topic of interest for me of late, so it's good to get an alternative view from down the rabbit hole.
- 3. Facebook shuts down hackers who infected iOS and Android devicesSocial media platform used to spread malware that spied on Uyghurs.
- 4. California Controller’s Office suffers data breach after employee fell for phishing email"The data breach was caused by a phishing attack in which an employee of the State Controller’s Office Unclaimed Property Division clicked on a link in an email and then entered a user ID and password as prompted." Okay, everyone is going to get phished. But sharing credentials??? That's on the Security Awareness Program IMO.
- 5. SaltStack revises partial patch for command injection, privilege escalation vulnerabilityThe second fix was reportedly necessary after SaltStack did not participate in coordinated disclosure.
- 6. Security researcher launches GoFundMe campaign to fight legal threat over vulnerability disclosureA security researcher has launched a GoFundMe campaign to secure legal representation after a responsible disclosure notice apparently went sour.
- 1. Forex Broker Leaks Millions of Customer Records OnlineA misconfigured, unsecured cloud database belonging to Belize-based forex broker FBS has been found exposed online containing more than 20TB of sensitive customer data.
- 2. CNA insurance firm hit by a cyberattack, operations impactedCNA Financial has disclosed it suffered a "cyberattack" that forced the company to shut down specific systems and take down its website to minimize the attack's impact.
- 3. Shell Latest to Fall to Accellion FTA ExploitsShell has disclosed it suffered a data breach after an unauthorized individual leveraged vulnerabilities affecting its Accellion FTA and gained access to files containing PII belonging to those working with the company.
- 4. Adobe Patches Critical ColdFusion Security FlawAdobe has released an urgent patch for a potentially dangerous security vulnerability in Adobe ColdFusion, the fix requires updating both the server and JRE/JDK.
- 5. MangaDex manga site temporarily shut down after cyberattackMangaDex has temporarily taken its site down after a malicious actor managed to access an admin, a developer account, and its source code on March 17. A malicious actor had managed to gain access to an admin account through the reuse of a session token found in an old database leak through faulty configuration of session management.
- 6. Computer giant Acer hit by $50 million ransomware attackMarch 18, 2021, the "REvil" ransomware group announced on its data leak site that it had breached systems belonging to New Taipei City, Taiwan-based electronics and hardware manufacturer Acer; stole an array of documents that included bank balances, bank communications, and financial spreadsheets; and demanded the company pay $50 million USD in ransom.
- 7. China Bans Tesla Cars From Entering Military Locations and Housing CompoundsChina has decided that Tesla vehicles pose a threat following concern over the multiple cameras each contains and the sensitive data they are capable of recording. With that in mind, the military has banned Elon Musk's cars from entering any Chinese military complexes or housing compounds.
- 8. XcodeSpy Mac malware targets Xcode Developers with a backdoorResearchers say they have spotted attackers leveraging a Trojanized version of the Xcode Project's malicious XcodeSpy in a series of attacks designed to infect IOS developers' systems with a variant of the "EggShell" backdoor. This had previously been reported as Redpanda in June 2020 by Mandiant.
- 9. “Expert” hackers used 11 zerodays to infect Windows, iOS, and Android usersAs part of a nine-month-long, "highly sophisticated" hacking campaign, a team of advanced hackers reportedly exploited at least 11 zero-day vulnerabilities using compromised websites in order to infect fully patched devices running Android, iOS, and Windows.
- 10. Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. MilitaryCharleston, S.C.-based surveillance contractor The Ulysses Group is reportedly looking to sell the U.S. military a new product it asserts is capable of obtaining the real-time locations of specific vehicles anywhere on earth leveraging data collected and sent by car sensors.