Job Expectations, Pi Password Thief, Python Masscan, & Pingback – PSW #693
This week in the Security Weekly News the crew talks: Pingback is back, was it ever really gone?, damn QNAP ransomeware, anti-anti-porn software, Qualcomm vulnerabilities, spreading pandas on Discord, the always popular Chinese APTs, exploits you should be concerned about, job expectations, westeal your crypto currency, quick and dirty python (without lists), new spectre attacks, Github says don't post evil malware and more!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Hosts
Paul Asadoorian
Principal Security Evangelist at Eclypsium
- 1. 10 Exploits Cybersecurity Professionals are Concerned AboutNot one open-source vulnerability on the list, not a bad list, but I am concerned about SSH, Exim and Kernel vulns.
- 2. New Hires Speak Out about Cybersecurity Job Expectations – Security BoulevardThis: “One of the issues we discuss in the report is job descriptions and understanding, as an organization, which skills are needed for which roles,” said Clar Rosso, CEO for (ISC)2, in an email interview. For example, many introductory positions want applicants to hold industry certifications. However, said Rosso, it’s unrealistic to ask entry-level job seekers to hold a CISSP certification—a common certification listed for these jobs—since someone looking for an entry-level position is unlikely to have the requisite five years of experience the certification requires."
- 3. WeSteal, a shameless commodity cryptocurrency stealer available for sale"A new cryptocurrency stealer dubbed WeSteal is available on the cybercrime underground, unlike other commodity cryptocurrency stealers, its author doesn’t masquerade its purpose and promises “the leading way to make money in 2021.” WeSteal is a Python-based malware that uses regular expressions to search for strings related to wallet addresses that victims have copied to their clipboard. "
- 4. Calculating CVSSSo much room for interpretation!
- 5. Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack
- 6. Raspberry Pi Zero Password ThiefNeat: "The idea of pulling credentials from a locked computer isn’t new. There are commercial products that can do this like the USB Armory and the LAN Turtle. They do, however, cost quite a bit more than a Pi Zero and a USB board. There are trade offs; commercial devices may cost more but definitely look less suspicious, for example."
- 7. Experian API Leaks Most Americans’ Credit Scores"“Shame on you Experian!” Nayyar said. “The credit-score data exposed as well as risk factors can be very successfully used to socially engineer money from people’s accounts. This data is personal and highly sensitive — just the sort of data cybercriminals use to gain credibility and sound convincing in their tactics. And all this due to an insecure API?”"
- 8. Apple Fixes Zero?Days Under Active Attack"A critical memory-corruption issue in the Safari WebKit engine where “processing maliciously crafted web content may lead to arbitrary code execution” was addressed with improved state management." - Webkit, yea, seems similar to Chrome and Firefox in terms of vulnerabilities.
- 9. How to apply a Zero Trust approach to your IoT solutions – Microsoft Security"Strong identity to authenticate devices. Register devices, issue renewable credentials, employ passwordless authentication, and use a hardware root of trust to ensure you can trust its identity before making decisions." - I mean or you can just build backdoor credentials into your device right?
- 10. Working with Webhooks: Security"In the code above, we extract the X-Shopify-Hmac-SHA256 HTTP header from the request, create a hash based on the Hmac-SHA256 algorithm from the request body then compare both hashes. Lastly, go ahead and create a constant called secret which would hold the value of the secret Shopify returned to you when created a new webhook connection. You would want to store that as an environmental variable to ensure it is safe." - Better to use a secrets manager, but this is better than one validating or encrypting webhooks (and the traffic via HTTPS).
- 11. Quick and dirty Python: masscan"Just recently I discovered there is a Python module for both masscan and nmap. So far I have only spent time on the masscan module. Suppose you needed a script which will find all the web servers (port 80, 443) in an address range. It took me about 5 minutes to code up scan_web.py."
- 12. New Attacks Slaughter All Spectre Defenses"The vulnerability in question is called Spectre because it’s built into modern processors that perform branch prediction. It’s a technique that makes modern chips as speedy as they are by performing what’s called “speculative execution,” where the processor predicts instructions it might end up executing and prepares by following the predicted path to pull the instructions out of memory. If the processor stumbles down the wrong path, the technique can leave traces that may make private data detectable to attackers. One example is when data accesses memory: if the speculative execution relies on private data, the data cache gets turned into a side channel that can be squeezed for the private data through use of a timing attack. The new line of attacks exploits the micro-op cache: an on-chip structure that speeds up computing by storing simple commands and allowing the processor to fetch them quickly and early in the speculative execution process, as the team explains in a writeup from the University of Virginia. Even though the processor quickly realizes its mistake and does a U-turn to go down the right path, attackers can get at the private data while the processor is still heading in the wrong direction."
- 13. CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws – SentinelLabs"The high severity flaws could allow any user on the computer, even without privileges, to escalate their privileges and run code in kernel mode. Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products. An attacker with access to an organization’s network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement."
- 14. Then a Hacker Began Posting Patients’ Deepest Secrets Online"At around 4 pm, Jere checked Snapchat. An email notification popped up on his screen. His hands began to shake. The subject line included his full name, his social security number, and the name of a clinic where he’d gotten mental health treatment as a teenager: Vastaamo. He didn’t recognize the sender, but he knew what the email said before he opened it."
- 15. Python Lists are not good?A case for arrays: "Python has a built-in module named ‘array‘ which is similar to arrays in C or C++. In this container, the data is stored in a contiguous block of memory. Just like arrays in C or C++, these arrays only support one data type at a time, therefore it’s not heterogenous like Python lists. The indexing is similar to lists. The type of the array has to be specified using the typecode provided in the official documentation"
- 16. HackListXA good list: "This is a list of Hacking Streamers derived from the original Hacklists here and here. While I continue to maintain those, there is a collaborative version here that motivated me to create this version while and learn new skills."
- 17. Python also impacted by critical IP address validation vulnerability"The Python standard library ipaddress also suffers from the critical IP address validation vulnerability identical to the flaw that was reported in the "netmask" library earlier this year."
- 18. Github Exploits and malware policy updates"Our existing language qualified on “active malware and exploits”, which was too broad in practice. Our intent is to narrow scope to “malware and exploits that are directly supporting unlawful activity”. " - So like, you can carry a knife, but don't like stab anyone or something. Legit software is used for unlawful activity too. Regulating content it hard.
Doug White
Professor at Roger Williams University
Larry Pesce
Product Security Research and Analysis Director at Finite State
- 1. An estimated 30% of all smartphones vulnerable to new Qualcomm bug
- 2. They Told Their Therapists Everything. Hackers Leaked It All
- 3. Review
- 4. Shave 99.93% off your Lambda bill with this one weird trick
- 5. Your Car Is Spying on You, and a CBP Contract Shows the Riskswith over two dozen makes
- 6. Pingback: Backdoor At The End Of The ICMP Tunnel
- 7. Video: AirTag gets the teardown treatment, revealing how the speaker works and more – 9to5Mac
- 8. I’ve just been HIT by a global ransomware attack, QNAP need to be held accountable for this
- 9. Josh Duggar’s wife installed anti-porn software on his computer, but Duggar used anti-anti-porn software to download child porn, says fed agent
Lee Neely
Senior Cyber Advisor at Lawrence Livermore National Laboratory
- 1. New Windows ‘Pingback’ malware uses ICMP for covert communicationResearchers say they have identified a novel Windows malware sample dubbed "Pingback" that leverages ICMP for C&C communications and DLL hijacking to achieve persistence on targeted Windows 64-bit systems.
- 2. U.S. Organizations Targeted by New Cybercrime Group With Sophisticated MalwareA new threat actor that appears to be financially motivated has targeted many organizations in the United States and other countries. The attacks involved three previously unseen pieces of malware tracked by FireEye as DOUBLEDRAG, DOUBLEDROP and DOUBLEBACK. DOUBLEDRAG is a downloader delivered in the first stage of the attack and which in some cases was replaced with a malicious Excel document that served as a downloader. DOUBLEDRAG is designed to connect to a C&C server and fetch DOUBLEDROP, a memory-only dropper that deploys DOUBLEBACK, a backdoor that is apparently still under development
- 3. ATT&CK v9 Introduces Containers, Google WorkspaceMITRE announced last week that the latest update to the popular ATT&CK framework introduces techniques related to containers and the Google Workspace platform. ATT&CK v9 includes another significant change that consolidates AWS, Azure, and Google Cloud Platforms into a single infrastructure-as-a-service (IaaS) platform.
- 4. Utah County’s Online Marriage System Takes Off During PandemicDigital marriage licenses. Zoom ceremonies. Everyday citizens becoming wedding officiants. Utah County, Utah's online marriage license system became a big hit after COVID-19 shut down most offices that issue marriage licenses.
- 5. Exclusive: Hackers Break Into Glovo, Europe’s $2 Billion Amazon RivalA cyber crime group breached its systems and began selling access to compromised customer and courier accounts on Amazon rival Spanish delivery service Glovo, just one month after announcing it had taken in $1 billion in funding and has plans to go public in a few years.
- 6. Pulse Secure Patches Critical Zero-Day FlawPulse Secure has released a patch addressing the critical authentication bypass vulnerability (CVE-2021-22893). Run the Pulse Secure Integrity Checker prior to patching.
- 7. U.S. government probes VPN hack within federal agencies, races to find cluesThe U.S. government says it is investigating a recently discovered supply chain attack in which attackers leveraged vulnerabilities affecting the Pulse Secure VPN to target more than a dozen federal agencies.
- 8. ‘Tens of thousands’ of SIM cards hackedHackers are now claiming they have accessed "tens of thousands" of SIM cards following a cyber attack against telecommunications firm Schepisi Communications, which is self-described as a "platinum partner" of Melbourne-based Telstra that provides cloud storage and telephone numbers on behalf of Telstra.
- 9. First Horizon Bank Customers Have Account Funds DrainedUsing obtained credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 online customer bank accounts, had access to personal information in those accounts, and fraudulently obtained an aggregate of less than $1 million from some of those accounts.
- 10. PoC exploit released for Microsoft Exchange bug dicovered by NSATechnical documentation and proof-of-concept exploit (PoC) code is available for a high-severity vulnerability in Microsoft Exchange Server that could let attackers execute code on unpatched systems. Attackers can exploit CVE-2021-28482 if the are authenticated on an on-premises Exchange server instance not patched with Microsoft's April update. A python based PoC exploit has been released.
- 11. Contact Tracer Breach Hits the Keystone StatePennsylvania DOH is accusing contact tracing company Insight Global, which was contracted to provide the state with "contact tracing and other services," of willfully disregarding security protocols and exposing PHI and PII belonging to some 72,000 people.
- 12. Stealthy RotaJakiro Backdoor Targeting Linux SystemsChelle brought this to my attention. Previously undocumented piece of Linux malware dubbed "RotaJakiro" that functions as a backdoor and has gone undetected for at least three years have been spotted being used in attacks targeting Linux X64 systems.
- 13. New micro-op cache attacks break all Spectre defencesResearchers at the universities of Virginia and California in the United States have devised new Spectre-style hardware attacks that make it possible to steal data when processes retrieve commands from their micro-ops caches.
- 14. TurgenSec finds 345,000 files from Filipino solicitor-general’s office were breachedAccording to TurgenSec, the compromised documents include documents generated during daily operations, staff training, internal passwords and policies, staff payment information, information related to financial processes, and other activities such as audits.
- 15. Chinese APT Actors Attack Russian Defense In An Espionage AttackTthe "PortDoor" backdoor developed by Anonymous is likely being leveraged by Chinese APT actors in phishing attacks targeting Russian firm Rubin Design Bureau, which builds submarines for the Russian Navy Federation. RoyalRoad is used by attackers to create weaponized RTF document designed to exploit three vulnerabilities (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) affecting Microsoft's Equation Editor.
- 16. CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws – SentinelLabsExecutive Summary SentinelLabs has discovered five high severity flaws in Dell’s firmware update driver impacting Dell desktops, laptops, notebooks and tablets. See also: https://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability