Malware, Ransomware

Lots of Star Wars, David Walden, Vulnerable Contractors, & Pirate Streaming – PSW #739

In the Security News for this week: Lessons from Star Wars on threats, more than just your thermal exhaust port, Pegasus spotted again, Python replaces JavaScript?, Read-Only containers, no problem for malware, breaking out of captive portals, its always DNS, except when its not DNS, but this time its DNS and uClibc, you are ordered to block these sites, ransomeware still hurts, DoD contractors remain vulnerable, hiding in network appliances, QUIETEXIT, & more!

Full episode and show notes


  • Don't miss any of your favorite Security Weekly content! Visit to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • Join us June 29th for a webcast with Tyler Robinson and Beau Bullock to learn how to pivot into the world of Crypto security. Visit to register with only your name and email! Don't forget to check out our library of on-demand webcasts & technical trainings at


Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. Users complain over Heroku’s incident management comms - Lots of speculation here: "One customer said they'd invited the Salesforce incident handler to provide a "statement that confirms whether or not config variables and secrets were accessed, or that you're not sure." According to the post, they received the reply: "We currently have no evidence that Heroku customers' secrets stored in config Var were accessed. If we find any evidence of unauthorized access to customer secrets, we will notify affected customers without undue delay.""
  2. 2. Lnkbomb- Exploit Insecure File Shares - Interesting ( - "Lnkbomb is used for uploading malicious shortcut files to insecure file shares. The vulnerability exists due to Windows looking for an icon file to associate with the shortcut file. This icon file can be directed to a penetration tester's machine running Responder or smbserver to gather NTLMv1 or NTLMv2 hashes (depending on configuration of the victim host machine)."
  3. 3. What Stars Wars Teaches Us About Threats - Looking forward to this one: "That's why I'm really excited to go in depth and take these lessons to the next level with my next book, Threats: What Every Engineer Should Learn from Star Wars, coming this fall. For all the fun, we need engineers to know what threats to consider, and what they mean. If we want people to build more secure systems ... it's our only hope!"
  4. 4. KrbRelayUp
  5. 5. Russia Is Being Hacked at an Unprecedented Scale
  6. 6. DJI insisted drone-tracking AeroScope signals were encrypted — now it admits they aren’t
  7. 7. Spanish prime minister’s phone ‘targeted with Pegasus spyware’ - "The Spanish government has said the mobile phones of the prime minister, Pedro Sánchez, and the defence minister, Margarita Robles, were both infected last year with the Pegasus spyware that its manufacturers claim is available only to state agencies."
  8. 8. Embed Python scripts in HTML with PyScript - "The new PyScript project lets you embed Python programs directly in HTML pages and execute them within the browser without any server-based requirements." - This is really cool, we'll see if it catches on though and what the security fallout may be.
  9. 9. Compromising Read-Only Containers with Fileless Malware – Sysdig - This is neat, I have to read up on it: "More recently, Spanish researcher arget13 shared DDexec, their take on code injection, via the commonly available Linux LOLBin (installed by default as part of GNU coreutils) dd" Then they use /dev/shm to create an in-memory filesystem, so the attack works like this: "Deployed our Redis exploit, Written our script and shellcode to two temporary files, Used bash to execute our script, giving the shellcode as input, Evaded multiple defenses and detections (MITRE T1211) – the process listing (ps) and the read-only filesystem" - Neat!
  10. 10. Critical flaws in ‘millions of Aruba, Avaya switches’ - Not much in the way of details, however, it looks like there is a captive portal breakdown and a VLAN breakout that is possible using the five vulnerabilities disclosed by Armis being dubbed TLStorm 2.0.
  11. 11. Unpatched DNS Related Vulnerability Affects a Wide Range of IoT Devices - "The vulnerability in uClibc and uClibc-ng is the result of having a predictable transaction ID assigned to each DNS lookup and their static use of source port 53, effectively defeating source port randomization protections." Well yeah: "This vulnerability remains unpatched, however we are working with the maintainer of the library and the broader community in support of finding a solution. Because this vulnerability remains unpatched, for the safety of the community we cannot disclose the specific devices we tested on. We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure." - And basically an uninitialized variable, leading to the transaction ID always being incremented by 1.
  12. 12. The Gmail SMTP Relay Service Exploit
  13. 13. Every ISP in the US has been ordered to block three pirate streaming services - Like how? Talk about a game of Whack-A-Mole. More info here:
  14. 14. Kellogg Community College closes after ransomware attack - "While the investigation continues, the college says all classes will be canceled until the school can safely reopen, hopefully later this week. In addition to canceling classes, the school says that all students, faculty and staff will be forced to reset their passwords." The statement reads: “We want to reassure our faculty and students that we will take any actions necessary for students to complete course work in a timely manner and appreciate your patience and support in the meantime,” - Except classes are currently cancelled and everyone has to reset their password.
  15. 15. Pentagon finds hundreds of cyber vulnerabilities among contractors - Did they expect to find less vulnerabilities? "“[The program] has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks,” Melissa Vice, interim director of the vulnerability disclosure program, said in a statement. Vice added that the pilot was intended to identify whether similar critical and high-severity vulnerabilities existed for small-to-medium-cleared and non-cleared defense-industrial base companies with potential risks for critical infrastructure and the U.S. supply chain."
  16. 16. Botnet that hid for 18 months boasted some of the coolest tradecraft ever - "The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools,"
  17. 17. PyScript brings Python into the browser, more easily than ever -
Doug White
Doug White
Professor at Roger Williams University
Josh Marpet
Josh Marpet
Executive Director at RM-ISAO
prestitial ad