Security News – PSW #757
Segment description coming soon!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Casey is the Founder, Chairman, and CTO of Bugcrowd. He is an 18-year veteran of information security, servicing clients ranging from startups to multinational corporations as a pentester, security and risk consultant and solutions architect, then most recently as a career entrepreneur. Casey pioneered the Crowdsourced Security as a Service model launching the first bug bounty programs on the Bugcrowd platform in 2012, and co-founded the disclose.io vulnerability disclosure standardization project in 2016.
A proud ex-pat of Sydney Australia, Casey lives with his wife and two kids in the San Francisco Bay Area. He is happy as long as he’s passionately pursuing potential.
- 1. SSRF vulnerabilities and where to find them – Detectify Labs
- 2. Fingerprintx Tool: An Internship Project for the Real World – Praetorian
- 3. Breaking Bitbucket: Pre Auth Remote Command Execution (CVE-2022-36804)
- 4. Russia gives citizenship to ex-NSA contractor Edward Snowden - "A decree signed Monday by Russian President Vladimir Putin listed Snowden as one of 75 foreign citizens listed as being granted Russian citizenship. After fleeing the U.S. in 2013, Snowden was granted permanent Russian residency in 2020 and said at the time that he planned to apply for Russian citizenship without renouncing his U.S. citizenship." - Could he be called for military services for Russia? Has he disclosed secrets to Russia? Also, curious how he is making a living these days...
- 5. How 3 hours of inaction from Amazon cost cryptocurrency holders $235,000 - "On August 17, the attackers used the hijacking to first obtain a TLS certificate for cbridge-prod2.celer.network, since they were able to demonstrate to certificate authority GoGetSSL in Latvia that they had control over the subdomain. With possession of the certificate, the hijackers then hosted their own smart contract on the same domain and waited for visits from people trying to access the real Celer Bridge cbridge-prod2.celer.network page."
- 6. SIM Swapper Abducted, Beaten, Held for $200k Ransom – Krebs on Security - "A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen’s captives held guns to his head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life." - SIM swapping gets real. Why is it typically younger kids who are "holders"?
- 7. Negotiating a golden parachute clause in a CISO contract
- 8. Mythic Case Study: Assessing Common Offensive Security Tools
- 9. Introducing Hintfo – The Hacker Factor Blog - "After chatting with Jeffrey last July, I decided to create my own "just metadata viewer". Since metadata contains helpful hints and internal information about files, I named my new service Hintfo (it's online at https://hintfo.com/). It works as easily as Jeffrey's: You upload a file to Hintfo and it shows you the metadata."
- 10. Shift F10 bypass and Autopilot privilge escalation
- 11. $35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned - It can be costly to properly destroy data on older equipment (we interviewed someone a while back on this subject). However, I think its still cheaper than paying fines of $35 million.
- 12. What’s behind the different names for hacker groups - "Microsoft picks names from the periodic table. CrowdStrike gives Chinese state groups a name with "Panda" in it, Russian state groups get a "Bear" name, Iranian groups have "Kitten" names, and North Korean group are "Chollima." Broadcom's Symantec uses names of insects. Palo Alto Networks names groups after constellations." - Not gonna lie, I kinda like how CrowdStrike does it. But why can't we all agree on a standard? I mean, we agree on so many other stand...oh nevermind...
- 13. Vultron: A Protocol for Coordinated Vulnerability Disclosure
- 14. New hacking group ‘Metador’ lurking in ISP networks for months
- 15. Linux System Call Monitoring – Black Hills Information Security
- 16. Tarfile: Exploiting the World With a 15-Year-Old Vulnerability
- 17. 350,000 open source projects at risk from Python vulnerability
- 18. Hunting for Unsigned DLLs to Find APTs
- 19. When Ransomware Meets IoT: What’s Next? - "Trojan ZuoRAT was found to target initially routers to then enumerate and move laterally to workstations in the victim’s network. Beyond that, we spoke directly with security leaders at financial organizations, who confirmed that IP cameras are among their riskiest devices according to their own internal security assessments." - I'm concerned with the bricking of devices being tied to ransomeware. Its so easy to brick a device remotely today, just keep dropping devices until a ransom is paid, not that I want to give anyone ideas. However, recovery from a firmware wipe is hard.
- 20. Attackers abuse web security flaw in Sophos Firewall - This must be trivial to exploit: "This is a code injection vulnerability in the User Portal and Webadmin components of the Sophos firewall that could be abused by remote attackers to execute arbitrary code on the vulnerable versions of Sophos firewalls." Ref: https://thesecmaster.com/how-to-fix-cve-2022-3236-a-critical-rce-vulnerability-in-sophos-firewall/
- 21. Attackers impersonate CircleCI platform to compromise GitHub accounts
- 22. ISC fixed high-severity flaws in the BIND DNS software
- 23. CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation - Hot mess: "This vulnerability happens due to a vulnerable version of ApacheOfBiz (CVE-2020-9496) that exposes an XML-RPC endpoint at /webtools/control/xmlrpc in case of Manage Engine products this endpoint is /xmlrpc. This endpoint can deserealizes java objects, as part of this processing, any serialized arguments for the remote invocation are deserialized, therefore if the classpath contains any classes that can be used as gadgets to achieve remote code execution, an attacker will be able to run arbitrary system commands." References: https://www.bigous.me/2022/09/06/CVE-2022-35405.html and https://github.com/viniciuspereiras/CVE-2022-35405/
- 24. New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access - This is the dangerous part: "In terms of supply chain impact, it will take 6-9 months based on our data for the vulnerabilities to be patched by device manufacturers at least on all the enterprise devices"
- 1. FBI Helping Australian Authorities Investigate Massive Optus Data Breach: Reports - Allegedly young attacker, got in over their head; initially tried asking for a $1M ransom to not release the data; then madly backpedaled, apologized, said they deleted the data Some very interesting talking points here: 1. Optus is Australia's 2nd largest mobile telecom. It is a subsidiary of Singtel, a Singaporean government-owned telecom conglomerate that happens to be a huge cybersecurity investor (they bought Trustwave back in 2015 and rumors of them selling it have been swirling for the past few years) 2. The attack vector was apparently an unauthenticated API that gave access to the entire live customer database. It was allegedly part of a test network that wasn't supposed to be exposed to the Internet (whoopsie!) 3. The attacker alleges they would have reported the security issue, but couldn't find any way to do so (no bug bounty, VDP, security contact, Security.txt, DNS security record) 4. They released a 10,200 record sample as proof they had the data, but allegedly "nearly 10 million records" were exfiltrated, making it potentially Australia's biggest breach in terms of impact to individual citizens 5. Was texting individuals, trying to ransom each record individually for $1300 per record. Bold enough to be requesting bank transfer to a domestic (CBA) bank!!
- 2. Tenchi Security’s new newsletter, Alice in Supply Chains
- 1. Digital natives more likely to fall for phishing attacks at work than their Gen X and Boomer colleagues
- 2. Getting Started with the undocumented Tesla BLE API
- 3. Someone is pretending to be me.
- 4. “Girls Who Code” books banned in some US classrooms • The Register
- 5. Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers – Krebs on Security