Re-Routing Traffic, Pseudo Keyloggers, TLS Inside, LockBit, Cobalt Strike & Defender – PSW #750
In the Security News: when hackers are not behind and outage, when hackers are behind re-routing traffic, neat pseudo-keystroke loggers, when XSS leads to code excution, TLS inside, post-quantum encryption that doesn't hold up to pre-quantum computers, Lockbit loading Cobalt Strike using Windows Defender, we love authentication bypass, and impress your co-workers with my Linux command of the week, & more!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 1. How a coding error caused Rogers outage that left millions without service - Not cyber criminals: "Deleting the filter caused all possible routes to the internet to pass through the routers, resulting in several of the devices exceeding their memory and processing capacities. This caused the core network to shut down." - I've been there, "we must be under a DDoS attack!", then later, "Oh no, thanks Paul for the hours you spent trying to find a breach, someone made a mistake updating a routing table". Doh.
- 2. Critical Samba bug could let anyone become Domain Admin – patch now! - "A user could thus change the password of the Administrator account and gain total control over the domain. Full loss of confidentiality and integrity would be possible, as well as of availability by denying users access to their accounts."
- 3. Stop Using APT - nala sounds neat, I am skeptical, but apt is not the greatest for so many reasons.
- 4. Apple network traffic went through Russia for 12 hours - "However, if the traffic was rerouted on purpose, the ordeal would point to Russia carrying out a Border Gateway Protocol (BGP) hijacking." - Huh, perhaps just a mistake? But then I read this part: "While the nature of the accident is unclear, this wouldn’t be the first time Rostelecom had performed a BGP hijacking attack. In April 2020, over 200 content delivery networks were redirected through Rostelecom."
- 5. Why cybercriminals are flocking to Telegram
- 6. MARA - Neat keystroke logger
- 7. Trio of XSS bugs in open source web apps could lead to complete system compromise - Nicely done research that shows how 3 different XSS bugs can lead to code execution through other areas of the application (e.g. file upload functionality, SQL queries run through the admin interface, etc...). This makes it difficult to set the priority for an XSS bug, you have to explore each one to understand the impact. Everyone does that right?
- 8. Threat Actors Pivot Around Microsoft’s Macro-Blocking in Office - "To bypass macros blocking, attackers are increasingly using file formats such as ISO (.iso), RAR (.rar), ZIP (.zip), and IMG (.img) files to send macro-enabled documents, researchers said. This is because that though the files themselves will have the MOTW attribute, the document inside, such as a macro-enabled spreadsheet, will not, researchers noted. “When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web,” they wrote in the post. Additionally, threat actors can use container files to distribute payloads directly by adding additional content such as LNKs, DLLs, or executable (.exe) files that can be used to execute a malicious payload, researchers said."
- 9. Malicious Npm Packages Tapped Again to Target Discord Users - Interesting how they were only targeting Discord tokens...
- 10. GnuTLS patches memory mismanagement bug – update now! - "Note that many popular applications and programming toolkits either include or may be built to make use of GnuTLS, even though you may not be aware of it, including but by no means limited to: FFmpeg, GnuPG, Mplayer, QEMU, Rdesktop, Samba, Wget, Wireshark and Zlib. Many Linux or *BSD packages that use GnuTLS will rely on a central version managed by your distro itself, so be sure to update as soon as your distro has this version available."
- 11. Post-quantum encryption contender is taken out by single-core PC and 1 hour - Things are not looking good for SIKE: "NIST advanced four additional algorithms as potential replacements pending further testing in hopes one or more of them may also be suitable encryption alternatives in a post-quantum world. The new attack breaks SIKE, which is one of the latter four additional algorithms." and "SIKE—short for Supersingular Isogeny Key Encapsulation—is now likely out of the running thanks to research that was published over the weekend by researchers from the Computer Security and Industrial Cryptography group at KU Leuven. The paper, titled An Efficient Key Recovery Attack on SIDH (Preliminary Version), described a technique that uses complex mathematics and a single traditional PC to recover the encryption keys protecting the SIKE-protected transactions." - Remember SIKE was attacked using Hertzbleed...
- 12. LockBit 3.0 affiliate sideloads Cobalt Strike through Windows Defender? - "In this post, we follow up on that incident by describing the use of another legitimate tool used to similar effect by a LockBit operator or affiliate, only this time the tool in question turns out to belong to a security tool: Windows Defender. During a recent investigation, we found that threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads." (Ref: https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/)
- 13. My New Favorite Linux Command - I use it every time someone comes to my desk now...
- 14. VMware Ships Urgent Patch for Authentication Bypass Security Hole - "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate" - I love authentication bypass, it opens so many possibilities.
- 15. A Brief History Of How Iron Sharpens Iron In Firmware Security - "One of the most satisfying aspects has been seeing how our research and collaboration with industry-leading OS vendors, chipset manufacturers, and OEMs have helped to improve the overall state of firmware security."