Baby Food, Lapsus$, Anonymous Vs. Printers, UEFI Rabbit Holes, & Browser-In-Browser – PSW #733
In the Security News: insiders inside NASA, BIND is in a bind again, Lapsus$ is on a tear, ripping at Microsoft and Okta, anonymous hacks printers, The UEFI security rabbit hole goes DEEP, Microtik and Tickbot, Browser-in-the-Browser attacks, Nestle gets attacked for not wanting to hurt babies, just another sabotage, & more!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
Paul Asadoorian
Principal Security Evangelist at Eclypsium
- 1. How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects – CycodeCommand injection for Github actions, yikes
- 2. Why We Haven’t Seen Debilitating Cyberwar in Ukrainemeh, lots of speculation: "One was that Russian hackers are not nimble enough to compromise Ukrainian targets during the invasion; a second was that stealthy cyberattacks aren’t that useful when compared to the damage that Russian troops are doing with missiles and bombs; and thirdly that Russian hackers are too busy protecting their own digital infrastructure."
- 3. High-Severity Vulnerabilities Patched in BIND ServerLooks like DoS-resulting vulnerabilities, though still could be useful to take out strategic DNS servers, if that's your thing.
- 4. Anonymous hacks unsecured printers to sends anti-war messages across RussiaI still can't understand why people make printers available on the Internet: "The printers were misconfigured, and manually forwarded on the Russian routers. In every case we have reviewed, the port was deliberately forwarded."
- 5. Over 200,000 MicroTik Routers Worldwide Are Under the Control of Botnet MalwareCrazy: "The disclosure also coincides with a new report from Microsoft, which revealed how the TrickBot malware has weaponized MikroTik routers as proxies for command-and-control communications with the remote servers, raising the possibility that the operators may have used the same botnet-as-a-service." Also, links to this in the article: https://eclypsium.com/2021/12/09/when-honey-bees-become-murder-hornets/
- 6. Exploring a New Class of Kernel Exploit Primitive – Microsoft Security Response Center
- 7. High-Severity UEFI Vulnerabilities Patched in Dell Enterprise LaptopsYea: "These also prove that the majority of enterprise tools available for source code analysis are not suitable for pinpointing firmware-specific security defects. There are multiple reasons, one of the most obvious being the differences in implementations of the memory management functions compared to the non-firmware-specific software. This leads to a false sense of security when no vulnerabilities are detected at source code level." And yep: "Unfortunately, most outsourcing companies developing firmware code for major device vendors do not have product security teams or sometimes even a single employee dedicated to mitigating security risks" - So many examples too, like vendors going to market with a 7-year-old Linux kernel and binaries.... Better article too: https://binarly.io/posts/AMI_UsbRt_Repeatable_Failures_A_6_year_old_attack_vector_still_affecting_millions_of_enterprise_devices And also, these are like 6-year-old vulnerabilities: "Totally I discvoered three 0day vulnerabilities in NvmeSmm, SdioSmm and UsbRt drivers from AMI and one in ItkSmmVars driver from Intel. Vulnerabilities was reported to Intel at 15.07.2016 and after several working days both Intel and AMI confirmed all of the security issues. Intel decided to release a single advisory INTEL-SA-00057 to cover all four vulnerabilities:" (Ref: https://github.com/Cr4sh/Aptiocalypsis)
- 8. New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable"Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and its basically indistinguishable. The image below shows the fake window compared with the real window. Very few people would notice the slight differences between the two." Ref: https://mrd0x.com/browser-in-the-browser-phishing-attack/ - Also, I believe the pop-up window uses an image to fake the URL bar, which is an awesome trick (though I did not dig through the source to check if this is actually what its doing). UPDATE: Okay I looked at the source and yes, this is what its doing :)
- 9. Okta investigating claims of customer data breach from Lapsus$ groupUh Oh: "Okta confirmed today they suffered a security incident in January when hackers compromised a laptop of one of its support engineers that could initiate password resets for customers. An investigation into the breach showed that the threat actors had access to the laptop for five days, during which they were able to access Okta's customer support panel and the company's Slack server." - What could you get from Slack and the support channel? https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/
- 10. Information About HubSpot’s March 18, 2022 Security Incident
- 11. Lapsus$ hackers leak 37GB of Microsoft’s alleged source codeSource code may not be my target at MS, backdoors in the update servers would be my personal favorite: "In a new blog post published tonight, Microsoft has confirmed that one of their employee's accounts was compromised by Lapsus$, providing limited access to source code repositories." Ref: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/
- 12. Anonymous released 10GB database of NestléThis is where the wild west approach gets messy: "Anonymous has called for a total boycott of Nestle products after the Swiss food conglomerate continued to supply essential goods to Russia despite mounting pressure from competitors to cut ties. In response to intense public pressure to cut ties with Russia in protest of its military assault on Ukraine, more than 400 multinational corporations have either partially or completely exited the country. Nestlé announced earlier this month that it would suspend all exports of its products from Russia except for essential items such as baby formula." - I mean, yea, baby formula.
- 13. OffSecOps: Using Jenkins For Red Team Tooling – HTTP418 InfoSec
- 14. Open Source Maintainer Sabotages Code to [NOT] Wipe Russian, Belarusian Computers"RIAEvangelist told Motherboard in an email that “There was no actual code to wipe computers. It only puts a file on the desktop.” He then pointed to a Twitter account he said belonged to him and which had now been targeted by hackers."
Lee Neely
Senior Cyber Advisor at Lawrence Livermore National Laboratory
- 1. Most NASA Systems at Risk From Insider Threats: AuditNASA’s Inspector General has concluded an audit of the agency’s information technology systems that found its classified platform has effective insider threat countermeasures. However, the agency’s unclassified systems (which do contain sensitive information) possess substantial insider threat risks and require attention.
- 2. Emotet malware campaign impersonates the IRS for 2022 tax seasonThe Emotet malware crew, reared its head in 2014 and has become the world’s most feared financial crime-oriented hacking group. They are ramping up their malware campaign as America’s tax season escalates. Their phishing emails emulate something that would be sent from the Internal Revenue Service, with malicious file attachments that the reader is urged to immediately open.
- 3. Exotic Lily initial access broker works with Conti gangResearchers say they have linked the new initial access broker "Exotic Lily," which provides access to previously compromised entities, to operations being conducted by the "Conti" ransomware group. Exotic Lily is currently exploiting the Microsoft Windows MSHTML vulnerability (CVE-2021-40444) in phishing campaigns that have distributed more than 5,000 phishing emails per day targeting some 650 organization from around the world.
- 4. FBI: Avoslocker ransomware targets US critical infrastructureThe FBI, U.S. Treasury Department, and the Financial Crimes Enforcement Network (FinCEN) have issued a TLP:WHITE joint security advisory warning that the "AvosLocker" ransomware-as-a-service (RaaS) is being actively used in attacks targeting various U.S. critical infrastructure sectors.
- 5. High-Severity Vulnerabilities Patched in BIND ServerThe Internet Systems Consortium (ISC) has released security updates to address three high-severity flaws (CVE-2022-0635, CVE-2022-0667, CVE-2021-25220) affecting the Berkeley Internet Name Domain (BIND) server software.
- 6. Anonymous leaked data stolen from Russian pipeline company TransneftAnonymous hacked Omega Company, the in-house R&D unit of Transneft, the Russian oil pipeline giant, and leaked stolen data. Anonymous collective claims it has 79GB of stolen emails, and leaked those emails on the "Distributed Denial of Secrets" whistleblower site.
- 7. White House issues call to action in light of new intelligence on Russian cyberthreatThe Biden administration once again urged private sector firms to address known vulnerabilities and harden their cyber defenses given the increased possibility of Russian cyber attacks targeting U.S. critical infrastructure.
- 8. Microsoft investigating claims of hacked source code repositoriesMicrosoft has revealed it is now investigating claims from the "Lapsus$" data extortion gang that it breached Microsoft's internal Azure DevOps source code repositories on March 20 and stole data.
- 9. Okta investigating claims of customer data breach from Lapsus$ groupAccording to Lapsus$, it was able to steal "superuser/admin" access to Okta.com, which allowed it to access the customer data. Per CEO Todd McKinnon, "In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January."