PSW #759 – Ismael Valenzuela
Full Audio
View Show IndexSegments
1. A Day in the Life of a Threat Researcher – Ismael Valenzuela – PSW #759
As Vice President of Threat Research & Intelligence at BlackBerry, Ismael Valenzuela leads threat research, intelligence, and defensive innovation. Ismael has participated as a security professional in numerous projects around the world for over the past two decades. In this episode, Ismael discusses his journey to become a top cybersecurity expert. We also explore the cybersecurity trends he and his team are seeing, and how cyber attackers are gaining a foothold and maintaining persistence.
Segment Resources: https://www.blackberry.com/us/en/company/research-and-intelligence
https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Guest
Ismael Valenzuela is Vice President of Threat Research & Intelligence at BlackBerry, where he leads threat research, intelligence, and defensive innovation. Ismael has participated as a security professional in numerous projects across the globe for over 20+ years, which included being the founder of one of the first IT Security consultancies in Spain.
As a top cybersecurity expert with a strong technical background and deep knowledge of penetration testing, security architectures, intrusion detection, and computer forensics, Ismael has provided security consultancy, advice, and guidance to large government and private organizations, including major EU Institutions and US Government Agencies.
Hosts
2. Detecting Deepfake Audio, Supply PHP Attack, UMAS Secrets, & Pixel 6 Bootloader – PSW #759
This week in the Security News: The secrets of Schneider Electric’s UMAS protocol, Pixel 6 bootloader: Emulation, Securing Developer Tools: A New Supply Chain Attack on PHP, Microsoft Exchange double zero-day – “like ProxyShell, only different”, Tech Journalists Offered Bribes to Write Articles for Major Outlets, & Detecting Deepfake Audio!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. On Bypassing eBPF Security Monitoring · Doyensec’s BlogPretty awesome article, deep technical, I need to study eBPF and kernel structures more.
- 2. Wi-Fi spy drones used to snoop on financial firm"The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device. "This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered," Linares explained. The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device" Wow: "The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device."
- 3. The Race to Native Code Execution in PLCs: Using RCE to Uncover Siemens SIMATIC S7-1200/1500 Hardcoded Cryptographic Keys"Team82 has developed a new, innovative method to extract heavily guarded, hardcoded, global private cryptographic keys embedded within the Siemens SIMATIC S7-1200/1500 PLC and TIA Portal product lines." Kind of similar to finding that one page on the webapp that doesn't check for auth: "Use [REDACTED] opcode, which has no security memory region checks, to copy an internal struct containing a native pointer to a valid memory area to a writable memory area".
- 4. Hidden DNS resolver insecurity creates widespread website hijack riskTo sum it all up, this is a Kaminsky attack on a closed resolver using an email server as the vector.
- 5. This Thermal Attack Can Crack Your Password in Just a Few Seconds"Thermal attacks can occur after users type their passcode on a computer keyboard, smartphone screen or ATM keypad before leaving the device unguarded. A passerby equipped with a thermal camera can take a picture that reveals the heat signature of where their fingers have touched the device. The brighter an area appears in the thermal image, the more recently it was touched. By measuring the relative intensity of the warmer areas, it is possible to determine the specific letters, numbers or symbols that make up the password and estimate the order in which they were used. From there, attackers can try different combinations to crack users’ passwords."
- 6. Fortinet warns of critical flaw in its security softwareWow, so basically, if you're vulnerable, it's like having the web interface exposed to the Internet with no password required as you can: "Modify the admin users’ SSH keys to enable the attacker to login to the compromised system, Add new local users, Update networking configurations to reroute traffic, Download the system configuration, Initiate packet captures to capture other sensitive system information."
- 7. No fix in sight for mile-wide loophole plaguing a key Windows defense for yearsWait, could Microsoft fix this problem? - "Given the history, you might think that Microsoft would have created a viable defense to stop BYOVD attacks, but sadly there's no evidence that's the case. The company claims that Windows users can enable a feature that automatically blocks known vulnerable drivers, but I was unable to make it work on my ThinkPad running the latest version of Windows 10, and as I'll get to shortly, Microsoft has no interest in helping me." Oh wait, nope: " turning on the combination of memory integrity and Hypervisor-protected code integrity will offer protection against BYOVD attacks, but at my request, Kálnai enabled both on a system running Windows 10 Enterprise, 10.0.19044 and then attempted to load the vulnerable Dell driver exploited by Lazarus. As the screenshot below shows, the driver loaded just fine." - Also, why can't we get a block list, or even better, a certificate revocation? Of course, if the driver is working as intended, and does not contain vulnerabilities and the key has not leaked, I supposed you wouldn't want to revoke it globally. Can admins get control of the revocation list? Sure, but then an attacker could also control the revocation...
- 8. Never-before-seen malware has infected hundreds of Linux and Windows devicesInteresting: " it is designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC—in addition to both Windows and Linux operating systems. Second, unlike largescale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys.""
- 9. What can we learn from leaked Insyde’s BIOS for Intel Alder LakeIt appears this leak was a developer that was working on UEFI implementations for, what appears to be, Lennovo. The leak contained binary blobs from different manufacturers, UEFI source code, some keys, and scripts/configs that help OEMs package all this together. As far as I can tell from reading about this the keys that were leaked do not really pose a threat unless the public key was fused into the hardware. There is also a difference between UEFI Secure Boot, BIOSGuard, signed BIOS updates, and BootGuard (essentially they all use different keys). The keys involved were for BootGuard, and I believe these for for testing, meaning production computers that shipped would not use the keys. Two main points, that few are actually talking about: 1) The supply chain for firmware on your computer is a "hot mess" 2) This gives researchers valuable information to conduct further research (e.g. microcode updates).
- 10. The Zero Day DilemmaI really like this insight: "To sum up, the problem of the zero day attack has not been solved because every approach depends on knowledge of events that have happened in the past, whether it’s known malware or known “normal” network/application behavior that serves as a benchmark for spotting malware-caused anomalies."
- 11. Mark Ermolov on TwitterThis response from @NikolajSchlej is highly accurate: "If that is really a KeyManifest signing key, and there are any machines that have a hash of the public key fused into FPFs, BG on that platform is under nearly full control. I.e. one can generate a new BootPolicy signing key and protect any BG-protectable range, including none."
- 12. Intel Confirms Alder Lake BIOS Source Code Leak"In fact, famed security researcher Mark Ermolov has already been hard at work analyzing the code. His early reports indicate that he has found secret MSRs (Model Specific Registers) that are typically reserved for privileged code and thus can present a security problem"
- 13. VMware vCenter Server bug disclosed last year still not patchedThe workaround sounds like a nightmare: "To block attack attempts, VMware advises admins to switch to Active Directory over LDAPs authentication OR Identity Provider Federation for AD FS (vSphere 7.0 only) from the impacted Integrated Windows Authentication (IWA)."
- 1. FACT SHEET: Biden-Harris Administration Delivers on Strengthening America’s Cybersecurity
- 2. Ikea smart bulbs can be exploited to force them to blink
- 3. Cybersecurity ‘issue’ hits US healthcare org CommonSpirit
- 4. r2c blog — It’s time to ignore 98% of dependency alerts. Introducing Semgrep Supply Chain.
- 5. Hackers leak 500GB trove of data stolen during LAUSD ransomware attack
- 6. Hackers now sharing cracked Brute Ratel post-exploitation kit online
- 7. When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
- 8. SECURITY ALERT: Attack Campaign Utilizing Microsoft Exchange 0-Day
- 1. Adobe Releases Security Updates for Multiple ProductsReview Adobe Security Bulletins and apply the necessary updates. • Adobe Cold Fusion APSB22-44 • Adobe Acrobat and Reader APSB22-46 • Adobe Commerce and Magneto Open Source APSB22-48 • Adobe Dimension APSB22-57
- 2. Toyota says about 296,000 pieces of customer info possibly leakedToyota revealed it had discovered that roughly 296,000 email addresses and customer numbers may have been leaked from its "T-Connect" telematics service, which is used to connect vehicles via a network.
- 3. Dark web carding site BidenCash gives 1.2M payment cards for freeBidenCash, a popular dark web carding site, released a dump of more than 1.2 million credit cards to promote its service.
- 4. Lloyd’s of London reboots network after suspicious activityLloyd’s of London says they have “detected unusual activity on [their] network and … are investigating the issue.” Lloyd’s has reset its IT systems and shut down external connectivity, but has yet provided no further details.
- 5. Updated Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response CenterThe update to the instructions changes the blocking rule in IIS Manager from .*autodiscover.json *Powershell.* to (?=.*autodiscover.json)(?=.*powershell). It's likely going to be easier to use the updated EOMTv2 PowerShell script and avoid transcription errors.
- 6. Unpatched Zimbra flaw under attack is letting hackers backdoor serversAn unpatched code-execution vulnerability in the Zimbra Collaboration software is under active exploitation by attackers using the attacks to backdoor servers.
- 1. Emotet Exposed: A Look Inside the Cybercriminal Supply ChainResurrected Emotet report The report reveals never-before-exposed insights into Emotet, including a large-scale, detailed analysis of: The modules Emotet delivers Emotet’s execution chains and their evolution Emotet’s multiple attack waves, campaigns, and network infrastructure How to create an Emotet sock puppet to fetch modules How to extract the recently updated Emotet configuration Correlating infection techniques and Emotet’s network infrastructure, revealing the agile-like software development lifecycle of Emotet Key highlights and takeaways for you from the Emotet research report: Shows evidence that attacking patterns are in continuous evolution Its attacks serve multiple objectives and have become more prolific due to its wide range of infiltration tactics Infrastructure is constantly shifting due to threat actors attempts to stay covert and maintain their C2 framework The report concludes with recommendations and best practices to support your security strategy for a more ironclad defense against Emotet and other nefarious malware strains.
- 2. Rollercoaster rides trigger emergency calls from new iPhones Published 1 day agoPerils of Iphone 14 Crash detection system Google's Pixel phone already has a crash detection system. Previous reporting by the WSJ testing Apple's system in a variety of collisions - including using the skills of a "demolition derby" driver - did not suggest the system was overly sensitive. However, the newspaper was provided with records of six calls to local emergency services from iPhones whose crash detection system had been triggered while on rides at Kings Island amusement park outside Cincinnati, Ohio. Dollywood has signs suggesting turn off watches and phones
- 3. Apple introduces Ask Apple for developersMy questions For avg dev, would having one-on-one guidance/chance for code-level review aid in building in security? Why or why not New series of interactive Q&As and one-on-ones provide developers with direct access to Apple experts can inquire about a variety of topics, such as testing on the latest seeds; implementing new and updated frameworks from Worldwide Developers Conference (WWDC); adopting new features like the Dynamic Island; moving to Swift, SwiftUI, and accessibility; and preparing their apps for new OS and hardware releases. ask questions to various Apple team members through Q&As on Slack or in one-on-one office hours. Q&As allow developers to connect with Apple evangelists, engineers, and designers Developers can ask for code-level assistance, design guidance, input on implementing technologies and frameworks, advice on resolving issues, or help with App Review Guidelines and distribution tools.
- 1. Gmail is getting the security upgrade it’s always neededClient-side encryption coming to Gmail and Google Calendar. Under this system, data will be encrypted on the end user’s device before being transmitted to datacenter servers, which means not even Google will have access to the encryption keys necessary to gain access.
- 2. A real world breach involving a drone delivered exploit system that occurred this summerTwo drones landed on an investment company's roof carrying a WiFi Pineapple, a Raspberry Pi, and a laptop. They entered the WI-Fi network by spoofing an authorized MAC address.
- 3. North Korea’s Crypto Hackers Are Paving the Road to Nuclear ArmageddonNorth Koreans are applying for jobs at cryptocurrency companies and using exploits to steal massive amounts of cryptocurrency--$840 million in the first five months of 2022.
- 4. All Windows versions can now block admin brute-force attacksAll Windows versions now have a policy available to lock out accounts for a time period after too many failed logins, intended to mitigate RDP and other brute force password vectors.