Security Grades, Mirai, Quantum Cryptography, & Hacking “Beer” – PSW #687
In the Security News, If software got a security grade, most would get an F, SolarWinds hackers got some source code, new old bugs in the Linux kernel, hack stuff and get blown up, stop hacking "beer", weekly Chrome zero day, Mirai lives, long live Marai, how attackers could intercept your text messages, and rigging the election, the Homecoming Queen election that is.
Register to attend Joff Thyer's upcoming Wild West Hacking Fest course "Enterprise Attacker Emulation and C2 Implant Development": http://bit.ly/JoffsC2Class
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 1. D-Link DIR-3060 1.11b04 Command InjectionThe disclosure timeline is pretty hilarious. Also, I learned about a new company that is automating firmware analysis.
- 2. Biden administration mulls software security grades after SolarWinds"The White House is contemplating the use of cybersecurity ratings and standards for U.S. software, a move akin to how New York City grades restaurants on sanitation or Singapore labels internet of things devices" - There are challenges here. First, the rating has to be based on something that can be measured. You can measure the number of germs and bacteria in a kitchen using, well, science. How do you measure whether or not the software is secure? If there was a scientific and accurate way to do this, we wouldn't be having this conversation. Software changes, has multiple components that change, behaves differently in different environments, can be manipulated on the client and the server, and authentication is a huge issue.
- 3. Dawn of the new era of Cryptography called “Quantum Cryptography”"In the case of quantum cryptography, as you can see from the above diagram Alice tries to send photons which are in a specific direction to Bob. And Bob has placed a filter (in the middle) which is in an upward and downward direction, so that the photon getting out of the filter are either in upward or downward direction only. Even if the photons are diagonally tilted at Alice’s end it comes out from the filter in either up or down direction."
- 4. Smart doorbells on business premises make your property more attractive to burglars, warns researcher
- 5. NFT digital art is already attracting hackers"Nifty Gateway, a marketplace where users can buy, sell and display digital items, said in a statement that it encourages users to use two-factor authentication (2FA) to prevent account takeovers and hacking, noting that none of the accounts that were affected had 2FA enabled. The company, said it has seen “no indication of compromise of the Nifty Gateway platform.”"
- 6. Magecart Attackers Save Stolen Credit-Card Data in .JPG File"Specifically, Sucuri found that attackers injected PHP code into a file called ./vendor/magento/module-customer/Model/Session.php, then used the “getAuthenticates” function to load malicious code, Leal said. The code also created a .JPG file, which attackers used to store any data they captured from the compromised site, he said."
- 7. Latest Mirai Variant Targets SonicWall, D-Link and IoT DevicesResearchers are trying to match exploits to 0day vulnerabilities in Marai: "The exploits themselves include two RCE attacks — including an exploit targeting a command-injection vulnerability in certain components; and an exploit targeting the Common Gateway Interface (CGI) login script (stemming from a key parameter not being properly sanitized). The third exploit targets the op_type parameter, which is not properly sanitized leading to a command injection, said researchers."
- 8. Mom & Daughter Duo Hack Homecoming CrownThis was not really hacking, basically her Mom worked at the school and shared her creds with her daughter for the school management system: "On Oct. 31, Carroll’s daughter was crowned Homecoming Queen, but the victory was short-lived. The Washington Post said that before the vote window was closed, Election Runner sent an alert to the school warning that many of the votes were suspected to be fraudulent. Carroll’s daughter didn’t seem too worried about hiding the fraud, since she bragged to fellow students about the stolen votes. Arrest records document about 117 votes from the same IP address, which investigators were able to trace back to Carroll’s home and cellphone, the Post reported."
- 9. Can We Stop Pretending SMS Is Secure Now?My question is how are they intercepting the messages on the backend and can't the cell providers put a stop to this? "“It’s not a Sakari thing,” Lucky225 replied when first approached for more details. “It’s an industry-wide thing. There are many of these ‘SMS enablement’ providers.”"
- 10. SolarWinds hackers stole some of Mimecast source code
- 11. Google Warns Mac, Windows Users of Chrome Zero-Day FlawSo much 0day for Chrome this year: "Google is hurrying out a fix for a vulnerability in its Chrome browser that’s under active attack – its third zero-day flaw so far this year. If exploited, the flaw could allow remote code-execution and denial-of-service attacks on affected systems." The problem is Chrome has become the new IE. Stuff just works in Chrome. Which I switch to Chromium or Edge, stuff doesn't work. Firefox perhaps? Does it matter?
- 12. Molson Coors discloses cyberattack disrupting its brewery operationsWater is essential for living: "On a global scale, cybercriminals will continue to focus their efforts on this revenue-generating stream. This reinforces what we've said before that no industry is exempt from the ransomware threat and it requires constant focus, assessment and review to ensure that critical information assets remain safeguarded and protected against it."
- 13. Critical Security Hole Can Knock Smart Meters Offline"Schneider Electric’s PowerLogic ION/PM smart meter product line, like other smart meters, is used by consumers in their homes, but also by utility companies that deploy these meters in order to monitor and bill customers for their services. They’re also used by industrial companies, data centers and healthcare companies."
- 14. A Hacker Got All My Texts for $16Original article everyone is talking about.
- 15. Exclusive: ‘Dumb mistake’ exposed Iranian hand behind fake Proud Boys U.S. election emailsReally dumb lol: "The video showed the hackers’ computer screen as they typed in commands and pretended to hack a voter registration system. Investigators noticed snippets of revealing computer code, including file paths, file names and an internet protocol (IP) address."
- 16. Defence review: UK could use Trident to counter cyber-attackI don't see cyber attack specifically being called out: "The new policy says Britain would “reserve the right” to use nuclear weapons in the face of “weapons of mass destruction”, which includes “emerging technologies that could have a comparable impact” to chemical or biological weapons."
- 17. Pwning the pen tester: Malicious Wireshark packet capture file risk revealed"A discussion on source code management platform GitLab suggests the issue may have been introduced with changes to Wireshark made as long as 17 years ago. The root cause of the problem is that for some schemes, referenced files will be opened by the system’s standard application associated with a particular file type"
- 18. Microsoft’s Azure SDK site tricked into listing fake packageSloppy on Microsoft's part: "However, the researcher has clarified this is not the result of dependency confusion but rather something much simpler. The researcher published the alexbirsantest package to npm and further added the npm account azure-sdk as a collaborator to his package, by following simple instructions laid out by npm. In this particular case, the "azure-sdk" accounts used on npm and GitHub appear to be bots configured to pick up any and all npm packages that these accounts were listed as collaborators for."
- 19. Paranoid Ninja on TwitterThis is just sloppy reporting and should be called out: https://www.securitynewspaper.com/2021/03/16/two-critical-zero-day-vulnerabilities-in-microsoft-office-365-allow-authentication-of-malicious-users/ Quote: "Paranoid Ninja ensures that cybercriminal groups often use these vulnerabilities to organize malicious campaigns aimed at users of this suite. In this regard, Microsoft will soon begin notifying users of its Office 365 service of hacking operations allegedly deployed by threat actors sponsored by foreign governments. "
- 20. New Old Bugs in the Linux KernelBest article this week: "If you’re thinking "wait, is all of this just automatically up and running even if I don’t use SCSI or iSCSI?", that’s great because that line of questioning would lead to you to the concept of on-demand kernel module loading and an attack vector that’s been around for a long time."
- 1. Dick Hoyt, ‘heart and soul of the Boston Marathon,’ dies at 80Not a security story, but I add this for everyone that needs a kick in the pants. We all have problems and we are all dealing with depression because of Covid-19, so let this story inspire and encourage you.
- 2. The Disaster of the Hafnium Attack on Microsoft Exchange and What to Do About It | onShore SecurityA vulnerability, initially detected and reported on in January, has been used in a zero-day exploit to gain access to web facing Microsoft Exchange email servers. This attack is now being characterized as a “global cybersecurity crisis”. The level of attack, number of victims, and method of exploit are all unprecedented.
- 1. Microsoft tool provides automated Exchange threat mitigationMicrosoft has released a PowerShell script to help customers running its Exchange Server on-premises software to quickly and easily mitigate against an attack. The "Exchange On-Premises Mitigation Tool" (EOMT) addresses a server-side request forgery authentication bypass vulnerability (CVE-2021-26855) via a uniform URL rewrite configuration.
- 2. Hackers hide credit card data from compromised stores in JPG fileHackers are now exfiltrating stolen credit card data lifted from compromised online stores inside JPG image files on the compromised web site in order to reduce their traffic footprint and evade detection.
- 3. Ex-contractor accessed Vic govt IT system 260 times a year after leavingThe Office of the Victorian Information Commissioner's (OVIC) has disclosed that between September 2017 and October 2018, a former contractor working for an unnamed contracted service provider (CSP) managed to breach Victorian government IT systems 260 times and steal personally identifiable information (PII) from its client relationship information system for service providers (CRISSP) for 12 months after leaving the CSP.
- 4. Azure Active Directory issue takes down Teams, Office, Dynamics and more for some usersAn Azure Active Directory issue causing authentication problems is affecting a subset of Microsoft customers worldwide across many Microsoft services, including Azure Portal, Dynamics, Office, Teams, and Xbox Live, Microsoft says the issue has been mitigated as of March 16.
- 5. New Mirai Variant and ZHtrap Botnet Malware Emerge in the WildNew wave of attacks exploiting multiple vulnerabilities to deploy ZHtrap (Mirai variant) on compromised systems. Attackers exploited vulnerabilities in various firewalls, VPNs, and Ethernet switches to infect targeted systems.
- 6. Hackers are targeting telecom companies to steal 5G secretsChinese APT group "Mustang Panda" (RedDelta) has been spotted targeting telecommunications firms in Europe, Southeast Asia, and the U.S. in ongoing attacks designed to infect targeted systems with malware and steal sensitive data, including detailed information related to 5G technology. Once victims visit the malicious page, it delivers a bogus Flash app that is then used to drop the "Cobalt Strike" backdoor
- 7. FBI Warns of PYSA Ransomware Attacks on Education Institutions in US, UKAn alert issued on Tuesday by the FBI warns about an increase in PYSA ransomware (aka Mespinoza) attacks on education institutions in the United States and the United Kingdom. PYSA operators post information on their dark web blog about their ransomware attack victims and threaten to publish stolen data if that ransom is not paid.
- 8. Hacker leaks payment data from defunct WeLeakInfo breach siteA threat actor reportedly breached the now-defunct "WeLeakInfo" data breach site and leaked customers' personally identifiable information (PII) as well as the service's payment information. Information compromised includes victims' full names, email addresses, phone numbers, physical addresses, and, in many cases, passwords.
- 9. SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and ProceduresCISA has released a table of TTPs used by the APT actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.
- 11. CRA locks out taxpayer accounts after discovering unauthorized use of credentialsCRA reportedly revoked some 800,000 taxpayers' CRA account credentials after discovering that an unidentified individual or group breached its systems in February 2021 and stole users' account credentials. Canadians remain an attractive target due high standard of living and technology adoption rate.
- 12. Breach Exposes Data of 200K Health System Staff, PatientsA medical practice management firm that provides support to Tacoma-based MultiCare Health System has alerted over 200,000 patients, providers and staff that their PII may have been compromised after its technology vendor, Netgain Technology, was hit by a ransomware attack.
- 13. DearCry ransomware attacks Microsoft Exchange with ProxyLogon exploitsResearchers say they have spotted attackers installing a new piece of ransomware dubbed "DEARCRY" after hacking into Microsoft Exchange servers vulnerable to the recently uncovered "ProxyLogon" vulnerabilities.
- 14. Molson Coors Suffers Suspected Ransomware AttackMolson Coors disclosed it suffered what appears to be a ransomware attack after experiencing a "system outage caused by a cybersecurity incident" that resulted in disruptions to its operations. They have "[E]ngaged leading forensic information technology firms and legal counsel to assist the company's investigation into the incident and the company is working around the clock to get its systems back up as quickly as possible."
- 15. Russia and Iran tried to interfere with 2020 election, U.S. intelligence agencies sayRussia and Iran tried to interfere in 2020 elections The News with Shepard Smith Russia and Iran both carried out operations to interfere with the election, designed to undermine confidence in the election process.
- 16. GitLab Critical Security Release: 13.9.4, 13.8.6, and 13.7.9These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. Security Fix: Remote code execution via unsafe user-controlled markdown rendering options - Critical An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorised authenticated users to execute arbitrary code on the server. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9).
- 17. AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection ToolThis Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts: AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations. AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, which addresses APT activity within Microsoft 365/Azure environments and offers an overview of—and guidance on—available open-source tools. The Alert includes the CISA-developed Sparrow tool that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment. Similar to Sparrow—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment.