Paul’s Security Weekly #704

Paul Asadoorian

1. From Stolen Laptop to Inside the Company Network
   Adrian dropped this story in our SW chat, really amazing work. Should we still even bother to encrypt our hard drives then?
2. Hacking DEF CON 29 – Reznok
   Sometimes web app hacking is pretty straight forward: "What I had found was a very well known access control vulnerability known as IDOR (Insecure Direct Object Reference). To exploit this IDOR vulnerability, all an attacker needs to identify is how the order numbers are generated, which in this case was incrementally, and that no authentication is required. This exploit example is about as straight forward as web hacking gets, but even if an exploit is simple, it can still be highly impactful." The issue was resolved with a token.
3. Microsoft Teams now automatically blocks phishing attempts
   "Safe Links is a feature in Defender for Office 365 (previously known as Office 365 Advanced Threat Protection) that provides URL scanning and "time-of-click verification" of URLs and links in email messages, groups, and other locations." - Is this something that you should just enable as added protection? What are the limitations or potential operational risks?
4. 11-Year-Old Finds Loophole in Newegg App to Quickly Buy PC Graphics Cards
   Sometimes web app hacking is even more simple, like just using the mobile app: "However, Santana’s son discovered that Newegg’s mobile app can let you buy the hot item GPUs from the custom PC builder service individually. Go to PC builder > Build your PC > Video Cards section. You’ll see various RTX 3000 GPUs listed as out of stock. But in some cases, if you add the product to your cart, the app will do so, and let you purchase it. "
5. Tokenvator Release 3
6. CWE – 2021 CWE Top 25 Most Dangerous Software Weaknesses
   Really cool list, and even more fun to dig into the individual CWEs, then scroll down to references. They've done a great job of collecting some of the definitive works that describe each type of vulnerability. For anyone starting out in infosec, this is required reading. Examples: Aleph One. "Smashing The Stack For Fun And Profit". 1996-11-08. (http://phrack.org/issues/49/14.html), Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security", David Litchfield, Chris Anley, John Heasman and Bill Grindlay. "The Database Hacker's Handbook: Defending Database Servers". Wiley. 2005-07-14, Katrina Tsipenyuk, Brian Chess and Gary McGraw. "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors". NIST Workshop on Software Security Assurance Tools Techniques and Metrics. NIST. 2005-11-07. (https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf).
7. Olympics Broadcaster Announces His Computer Password on Live TV
   Whoops: "Turns out the password was "Booth.03" after the number of the commentator's booth."
8. Failed SSH Lockout!
   Moral of the story: don't leave SETUID files laying around owned by root. (find directory -user root -perm -4000 -exec ls -ldb {} ; >/tmp/filename)
9. New PetitPotam attack allows take over of Windows domains
10. The Evolution of Security Testing
    Interesting, should we be using automated fuzzing more? "Fuzzing provides a proactive approach to security testing. It is the negative or non-functional testing. It shows whether or not an application can withstand unexpected situations, and it helps uncover zero days. One way to think about (and justify) Advanced Fuzz Testing is that it is penetration testing in a machine. Like pen testing, Advanced Fuzz Testing thinks box. However, there are benefits to Advanced Fuzz Testing not found with pen testing. Unlike pen testing, Advanced Fuzz Testing is continuous, not just a point in time. It can be done at human) speed. It can be performed at machine scale, and with machine accuracy. This coverage than what a human is capable of doing."
11. Biden Warns Cyberattacks Could Escalate to a “Real Shooting War”
    This is a really interesting statement from the POTUS: "We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis. Allies recognize that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack." Article 5 of the North Atlantic Treaty is: "Article 5 provides that if a NATO Ally is the victim of an armed attack, each and every other member of the Alliance will consider this act of violence as an armed attack against all members and will take the actions it deems necessary to assist the Ally attacked."
12. Microsoft researcher found Apple 0-day in March, didn’t report it
13. Top Routinely Exploited Vulnerabilities
    Do we just patch what is being exploited? "Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching. Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. "
14. Hackers posed as aerobics instructors in malware attack on defense contractors
    "According to researchers, the group members posed as diet and aerobics instructors on Facebook to inject malware into the devices used by an aerospace defense contractor’s employees."
15. Reboot of PunkSpider Tool at DEF CON Stirs Debate
    So PunkSpider is like Shodan, but collects vulnerabilities in websites. Two opposing views, on one hand "Making them public might be the thing that pushes administrators to fix [these vulnerabilities]." but on the other hand: "t is needlessly calling out site insecurities without proof that companies respond accordingly and make necessary changes to protect themselves." - Thoughts?
16. No Root For You
    So once your data is in the cloud its totally safe? "The shift to cloud computing and hardened client-side computing is not just well underway. It’s nearly complete. Until we come up with a better solution, our defense against ransomware is in the clouds. When we work in the cloud, the data is encrypted up there and down here, the client software is easy to replace, and the hardware could be anything with a screen and a keyboard. And I think I can give up root for that." - Look, I'm not ready to give up root. But, that's not really the point. The attackers will go after the data, whether its in the cloud or not. Let's say, as this article proposes, that your data is stored in the cloud. Defending against ransomware attacks now means you have to secure the data in the cloud. The question for attackers is how do they steal, delete, erase and/or encrypt all of your data in the cloud? Certainly possible, we'll probably call it ransomware 2.0 or some crap like that.
17. Turn Off, Turn On: Simple Step Can Thwart Top Phone Hackers
18. LockBit 2.0, the first ransomware that uses group policies to encrypt Windows domains

Larry Pesce

1. From Stolen Laptop to Inside the Company Network — Dolos Group
2. Rickrolling: The Definitive Oral History
3. Receiving pH Readings from a Wireless Medical Implant with RTL-SDR
   Replicating A Rolljam Wireless Vehicle Entry Attack with a Yardstick One and RTL-SDR
4. Using Ghidra To Extract A Router Configuration Encryption Key
5. Kaspersky Password Manager: All your passwords are belong to us

Lee Neely

1. Discord is now an essential tool for hackers
   Gaming-centric messaging platform Discord has become a favorite tool among cybercriminals, research suggests. A new report from security company Sophos says it uncovered 17,000 unique malware URLs in Discord's content delivery network (CDN), nearly 5,000 of which are still active.
2. Security vulnerabilities in IDEMIA access control devices could allow attackers to ‘remotely open doors’
   Three vulnerabilities (CVE-2021-35522, CVE-2021-35520, CVSS 6.2, and CVE-2021-35521) affecting biometric access control devices manufactured by IDEMIA that could be exploited by attackers to remotely execute arbitrary code, cause a DoS condition, or read/write arbitrary files on compromised devices. According to researchers from Positive Technologies.
3. Microsoft Warns of LemonDuck Malware Targeting Windows and Linux Systems
   PowerShell based crypto-mining malware has continued to refine and improve upon its techniques to strike both Windows and Linux operating systems by exploiting older vulnerabilities while concurrently using various spreading mechanisms to maximize their campaigns' efficacy.
4. Threat actor offers Clubhouse secret database containing 3.8B phone numbers
   A threat actor has reportedly posted and offered up for sale a "secret" database belonging to social audio app "Clubhouse" containing some 3.8 billion phone numbers belonging to Clubhouse users, including more than 83 billion numbers belonging to Japanese users. Information compromised in the breach is said to include victims' user IDs, full names, usernames, Twitter handles, Instagram handles, number of followers, number of people followed by the users, accounts' creation dates, and invited by user profile names, but no financial data.
5. China’s New Law Requires Vendors to Report Zero-Day Bugs to Government
   The Cyberspace Administration of China (CAC) has issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to mandatorily disclose them first-hand to the government authorities within two days of filing a report.
6. TikTok, Snapchat account hijacker arrested for role in Twitter hack
   DOJ has announced the arrest of 22-year-old U.K. national Joseph O’Connor for his role in the 2020 Twitter hack. The criminal complaint alleges that O'Connor was also involved in taking over Snapchat and TikTok accounts.
7. Chinese spies are exploiting routers to try hacking French targets, cyber agency says – CyberScoop
   ANSSI, French National Agency for the Security of Information Systems has revealed it is now dealing with a "massive" hacking campaign being conducted by the China-linked advanced persistent threat (APT) group APT31.
8. Average time to fix high severity vulnerabilities grows from 197 days to 246 days in 6 months: report
   A research group’s analysis determined that the time required for a vendor to learn of, and then release a security update to close a vulnerability has risen from an average of 197 days to 246 days. Further, the group found that within the Utilities sector that more than 65% of their software applications contained at least one serious exploit – the worst statistic across all measured categories.
9. Ninth Circuit limits feds’ confiscation of cellphones, laptops at points of entry: report
   San Francisco’s 9th Circuit recently ruled that Border Patrol agents positioned at some U.S. checkpoints located across states that they officiate over will, by and large, require a search warrant to access a traveler’s laptop computer or cell phone without the travelers consent. Agents may only search the electronic devices for digital contraband (e.g. child pornography).
10. BlackMatter Ransomware Claims to Be Best of REvil, DarkSide
    Possible former DarkSide affiliate now associated with DarkMatter. While REvil sites were takend down in July, it's not clear that Sodinokibi operations have ceased.