Cloud security, Email security, Remote access, Security awareness, Vulnerability management

WRT54G Hacking History, 70 Unpatched Cisco Vulns, & Bypassing MFA – PSW #680

In the Security News, How two authors became part of WRT54G hacking history, European police and German law enforcement have taken down the illegal "DarkMarket" online marketplace, 70 unpatched Cisco vulnerabilities and why these are not a big deal, Adobe is blocking Flash content, most containers still run as root, watching private videos on YouTube is more like silent films, and get a free bag of weed when you get your vaccine!

Full episode and show notes

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. Hackers used 4 zero-days to infect Windows and Android devices - One of the bugs was described as the following (which I found interesting): "One of the features that make JavaScript code especially difficult to optimize is the dynamic type system. Even for a trivial expression like a + b the engine has to support a multitude of cases depending on whether the parameters are numbers, strings, booleans, objects, etc. JIT compilation wouldn’t make much sense if the compiler always had to emit machine code that could handle every possible type combination for every JS operation. Chrome’s JavaScript engine, V8, tries to overcome this limitation through type speculation. "
  2. 2. Over 70 Vulnerabilities Will Remain Unpatched in EOL Cisco Routers - This sounds bad, except: "The security bugs exist because user-supplied input to the web-based management interface of the affected router series is not properly validated, thus allowing an attacker to send crafted HTTP requests to exploit these issues. An attacker able to successfully exploit these vulnerabilities would be able to execute arbitrary code with root privileges on the underlying operating system. A mitigating factor, however, is that valid administrator credentials are required for exploitation." Uhm, if I have administrator credentials already, why would I need an exploit?
  3. 3. Most containers are running as root, which increases runtime security risk - "Among its findings, the report states that while 74 percent of customers are scanning before deployment, still 58 percent of containers are running as root. There are some containers that should run as root—security and system daemons for example—but this is a small portion of total containers." Report here: https://sysdig.com/blog/sysdig-2021-container-security-usage-report/ and it looks like it was a report based on Sysdig customers, who have implemented a container security platform, yet still, run containers as root? WTH?
  4. 4. Google reveals high-profile attack targeting Android, Windows users
  5. 5. Understanding TCP/IP Stack Vulnerabilities in the IoT - If it were only that easy: "Experts point to three foundational steps for dealing with TCP/IP stack vulnerabilities: identifying all devices on a network to understand which are vulnerable; assessing the risks introduced by these devices, which include their business context, criticality, and Internet exposure; and mitigating the assessed risks."
  6. 6. Larger CyberBunker investigation yields shutdown of DarkMarket – CyberScoop - "German police raided the CyberBunker’s headquarters in September 2019 in Traben-Trarbach, a small town close to the Luxembourg border. Eight defendants — four Dutchmen, three Germans and one Bulgarian — stood trial beginning in October for allegedly aiding and abetting 249,000 transactions involving drugs, money laundering, stolen information and pornographic images of children."
  7. 7. Adobe Fixes 7 Critical Flaws, Blocks Flash Player Content - But, if its not updating Flash, how will Flash Player block content? "“Since Adobe will no longer be supporting Flash Player after December 31, 2020 and Adobe will block Flash content from running in Flash Player beginning January 12, 2021, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems,” according to Adobe."
  8. 8. How I found a bug in YouTube that let me watch private videos I wasn’t allowed to, says compsci student
  9. 9. RCE Vulnerability Affecting Microsoft Defender
  10. 10. Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender – Microsoft Security - See my story number 9 above...
  11. 11. Minimizing cyberattacks by managing the lifecycle of non-human workers - It's important to manage the lifecycle of alien workers (from outer space), not just humans...
  12. 12. Criminals are Bypassing MFA to Access Organisation’s Cloud Services
  13. 13. Get A Free Bag Of Marijuana With Your Covid-19 Vaccine - Literally called "Joints For Jabs". They gave out joints in 2016 at the presidential inauguration, but this year thought it was a bad idea because 1. They licked all the joints and 2. People lit them up immediately...
  14. 14. User successfully runs Ubuntu on a jailbroken iPhone 7 – 9to5Mac - https://flip.it/.FZloD
Jeff Man
Jeff Man
Information Security Evangelist at Online Business Systems
Joff Thyer
Joff Thyer
Security Analyst at Black Hills Information Security
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
  1. 1. Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments - CISA has become aware of cyber-attacks leveraging weaknesses in cloud security services. Threat actors are leveraging phishing and other techniques to exploit poor cyber hygiene practices in cloud services. CISA released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services.
  2. 2. Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services - The analysis report has a great summary of attack vectors and solutions/mitigations. Make sure that you’re adequately securing cloud environments, at a minimum make sure you’re following the service’s security guidance. Review that guidance annually for improvements and needed changes. Make sure that direct access requires MFA. Verify that conditional access is both enabled and operates as planned. Evaluate the risks of enabling SSO from corporate desktops. Be sure that cloud service logs are being reviewed regularly, ideally forwarded automatically to your centralized logging and SIEM.
  3. 3. Networking giant Ubiquiti alerts customers of potential data breach - Ubiquiti has announced a security incident that may have exposed its customers' data. Ubiquiti is asking users to enable MFA and change passwords.
  4. 4. Illegal marketplace “DarkMarket” taken offline - European police and German law enforcement have taken down the illegal "DarkMarket" online marketplace, seized some 20 servers hosting the site in Moldova and Ukraine, and arrested an Australian man who is believed to be the site's operator. DarkMarket underground community was one of the more prominent and largest underground marketplaces that threat actors used to trade malicious tools and illegal goods on the dark web.
  5. 5. SolarLeaks site claims to sell data stolen in SolarWinds attacks - A website named 'SolarLeaks' is selling data they claim was stolen from companies confirmed to have been breached in the SolarWinds attack. The solarleaks.net domain containing the data was registered with "NJALLA," which is used by Russian hacking groups "Fancy Bear" and "Cozy Bear."
  6. 6. Hackers Compromise Mimecast Certificate For Microsoft Authentication - A sophisticated threat actor compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services, tenants using Mimecast need to delete and re-add the connection using the new certificate.
  7. 7. Accellion hack behind Reserve Bank of NZ data breach - The Reserve Bank of New Zealand, which yesterday disclosed it had suffered a data breach, now says it was caught up in a hack targeting an unpatched Accellion file transfer appliance (FTA). The replacement is Kiteworks.
  8. 8. This Android malware claims to give hackers full control of your smartphone - Attackers have combined the "Cosmos" and "Hawkshaw" Android remote access Trojans (RAT) to create the "Rogue RAT." Which also monitors victims' GPS locations, takes screenshots, uses the camera to snap photos, and secretly records audio all while remaining hidden.
  9. 9. Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks - Fortinet identified four serious vulnerabilities (CVE-2020-29015, CVE-2020-29016, CVE-2020-29018, and CVE-2020-29019) affecting the FortiWeb administration interface that Fortinet describes as a "SQL injection issue and two buffer overflows" - Likely low to medium risk due to limited impacts of exploitation.
  10. 10. US Announces Controversial State Department Cyber-Bureau - The US government has announced the creation of a new cybersecurity agency to align with the country’s diplomatic efforts. The Bureau of Cyberspace Security and Emerging Technologies (CSET) will lead U.S. government diplomatic efforts on a wide range of international cyberspace security and emerging technology policy issues that affect U.S. foreign policy and national security, including securing cyberspace and critical technologies, reducing the likelihood of cyber-conflict, and prevailing in strategic cyber-competition.
Tyler Robinson
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element
prestitial ad