Security News w/ Ed Skoudis – PSW #676
Ed Skoudis returns to talk to us about the Holiday Hack Challenge! Then, in the Security News, Thousands of unsecured medical records were exposed online, Advanced Persistent Threat Actors Targeting U.S. Think Tanks, WarGames for real: How one 1983 exercise nearly triggered WWIII , The Supreme Court will hear its first big CFAA case, TrickBoot feature allows TrickBot to run UEFI attacks, and Cyber Command deployed personnel to Estonia to protect elections against Russian threat!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
SCYTHE is offering a FREE purple team workshop where attendees get hands-on in an isolated enterprise environment for three hours! It is scheduled for December 9th (the day before Security Weekly Unlocked!) Register for this free workshop now: https://securityweekly.com/purpleteamsw
Guest
Ed Skoudis is a Faculty member at IANS Research and the founder of Counter Hack, a company focused on conducting ultra high-quality penetration tests and red team engagements to help organizations better manage their cyber risks. Ed is a SANS Fellow, author, and instructor who has trained over 20,000 cyber security professionals in the art of penetration testing and incident response. Ed is an expert witness who is often called in to analyze large-scale breaches.
Hosts
- 1. Home Wi-Fi security tips – 5 things to checkIn reality, it's just two: Enable encryption and set a "good" password. Firmware updates should happen automatically in a perfect world, but really no one is going to apply those unless there is a problem.
- 2. Why Vulnerable Code Is Shipped Knowingly
- 3. It’s hard to keep a big botnet down: TrickBot sputters back toward full health – CyberScoop
- 4. WarGames for real: How one 1983 exercise nearly triggered WWIII"As it turned out, Exercise Able Archer '83 triggered that forecast. The war game, which was staged over two weeks in November of 1983, simulated the procedures that NATO would go through prior to a nuclear launch. Many of these procedures and tactics were things the Soviets had never seen, and the whole exercise came after a series of feints by US and NATO forces to size up Soviet defenses and the downing of Korean Air Lines Flight 007 on September 1, 1983. So as Soviet leaders monitored the exercise and considered the current climate, they put one and one together. Able Archer, according to Soviet leadership at least, must have been a cover for a genuine surprise attack planned by the US, then led by a president possibly insane enough to do it."
- 5. The Supreme Court will hear its first big CFAA case – TechCrunch
- 6. Exploring malware to bypass DNA screening and lead to ‘biohacking’ attacks
- 7. A scan of 4 Million Docker images reveals 51% have critical flawsHow accessible these vulnerabilities remain up for debate: "Container security firm Prevasio has analyzed 4 million public Docker container images hosted on Docker Hub and discovered that the majority of them had critical vulnerabilities. The cybersecurity firm used its Prevasio Analyzer service that ran for one month on 800 machines. 51% of the 4 million images were including packages or app dependencies with at least one critical flaw and 13% had high-severity vulnerabilities. The dynamic analysis also revealed 6,432 malicious or potentially harmful container images, representing 0.16% of all publicly available images at Docker Hub."
- 8. TrickBoot feature allows TrickBot bot to run UEFI attacksActual research: https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/ - "Collaborative research between Advanced Intelligence (AdvIntel) and Eclypsium has discovered that the TrickBot malware now has functionality designed to inspect the UEFI/BIOS firmware of targeted systems. This new functionality, which we have dubbed “TrickBoot,” makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device. At the time of writing, our research uncovered TrickBot performing reconnaissance for firmware vulnerabilities. This activity sets the stage for TrickBot operators to perform more active measures such as the installation of firmware implants and backdoors or the destruction (bricking) of a targeted device."
- 9. Cyber Command deployed personnel to Estonia to protect elections against Russian threat – CyberScoopWhat many outside of our field may not have understood (esp. as they watched Chris Krebs on 60-minutes) is that we hacked into other nation-states to protect the election. I present this as my evidence: "Personnel from the U.S. Department of Defense’s Cyber Command deployed to Estonia in recent months as part of a broader effort to protect U.S. elections against foreign hacking, American and Estonian officials announced Thursday. The mission allowed personnel from U.S. Cyber Command and Estonia’s Defense Forces Cyber Command to collaborate on hunting for malicious hacking efforts on critical networks from adversaries, officials said. Estonia in particular could help the U.S. glean intelligence about Russian cyber-operations, as it has borne the brunt of Russian hacking in the past."
- 10. Researchers Bypass Next-Generation Endpoint Protection
- 11. A DMZ, what is that?"A DMZ is a network typically exposing public services like web, DNS or email functions, in a subnetwork separated from the internal network of a company. The main purpose of this subnet separation is to protect internal systems while providing these services to untrusted networks like the Internet."
- 12. Baltimore County Schools close after a ransomware attackWhy does Baltimore keep getting hit? Should it be illegal to pay a ransom? Also, this: "The sad news is that the incident was not a surprise, the Baltimore County Public Schools system was notified by state auditors of several cybersecurity flaw the day before the district was hit with the ransomware attack. The audit was published by the Baltimore Sun. "Significant risks existed within BCPS computer network,” the audit stated. “For example, monitoring of security activities over critical systems was not sufficient, and its computer network was not properly secured. In this regard, publicly accessible servers were located in BCPS internal network rather than being isolated in a separate protected network zone to minimize risks."
- 13. The biggest hacks, data breaches of 2020
- 14. DarkIRC botnet is targeting the critical Oracle WebLogic CVE-2020-14882
- 15. Email Spoofing ????
- 16. Dua Lipa and other Spotify artists’ pages hacked by Taylor Swift ‘fan’Spotify has not publicly said anything about the attack or how it happened, but has been contacted for comment.
- 17. Turla’s ‘Crutch’ Backdoor Leverages Dropbox in Espionage Attacks
- 18. Ethical hackers and a “dangerously vague” statute"In the past, this statute and its ambiguous language have served to deter software developers and others from exposing vulnerabilities. If it continues to do so, will organizations and consumers end up paying the price? As the law presently stands, there is no way to criminalize malicious actions without simultaneously criminalizing other groups, such as white hat hackers."
- 1. COVID-19 and Cybersecurity: ‘Catastrophic Attack on Our Technology Systems’Ransomware attacks shut down school systems in Baltimore and Chicago.
- 2. The ‘smartest man in the room’ has joined Sidney Powell’s teamSomeone sent me this link and asked me if the guy is a big deal in our industry...I think this is fake news! But how can you be reasonably sure?
- 1. Thousands of unsecured medical records were exposed online
- 2. An iOS zero-click radio proximity exploit odyssey
- 3. Call Fraud Operator Ordered to Pay $9M to Victims
- 4. Evilginx-ing into the cloud: How we detected a red team attack in AWS – Expel
- 5. Hackers are trying to disrupt the COVID-19 vaccine supply chain
- 1. Carrefour Handed $3.7m GDPR FineFrance-based retailer Carrefour and its banking division have been fined more than €3 million EUR (~$3.6 million USD) by the French Commission nationale de l’informatique et des libertés (CNIL) for multiple data breaches that violated the EU's GDPR.
- 2. Talos reported WebKit flaws in WebKit that allow Remote Code ExecutionTalos experts found flaws in the WebKit browser engine that can be also exploited for remote code execution via specially crafted websites. Consider this medium-risk due to the potential to execute arbitrary code, offset by the user interaction required for exploitation.
- 3. Palo Alto researchers said Baidu apps could have tracked users ‘over their lifetime’According to Palo Alto Networks, the Baidu apps were collecting user data such as MAC addresses, carrier information, and IMSI numbers stored on SIM cards from victims' phones.
- 4. This critical software flaw is now being used to break into networks – so update fastThe U.K.'s National Cyber Security Centre (NCSC) has issued a warning about a critical remote code execution vulnerability (CVE-2020-15505) affecting the MobileIron mobile device management (MDM) software that is reportedly being used by state-backed hackers and organized crime groups to access and steal data from government, healthcare provider, and other networks.
- 5. Advanced Persistent Threat Actors Targeting U.S. Think Tanks
- 6. Vietnam-Linked Cyberspies Use New macOS Backdoor in AttacksTrend Micro’s security researchers say they believe the Vietnamese advanced persistent threat (APT) group "OceanLotus" (APT-C-00, APT32) has been leveraging a new macOS backdoor in attacks designed to steal sensitive data from government and corporate organizations throughout Southeast Asia.
- 7. Industrial computer manufacturer Advantech hit with a ransomware attack – SiliconANGLEAdvantech received a ransom demand for 750 Bitcoin ($13.8 million), but publication of stolen data by Conti operators indicates that the company has at least so far refused to make the payment.
- 8. Digitally Signed Bandook Malware Once Again Targets Multiple SectorsThe "Dark Caracal" cyber espionage group, which is suspected to have ties to the Kazakh and Lebanese governments, has been spotted leveraging a re-tooled version of the 13-year-old "Bandook" Windows Trojan, also known as HAIRBALL, in attacks targeting various sectors in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey, and the U.S.
- 9. iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks everReally cool hack. Be sure to read the linked white paper from Ian Beer.