HNNEpisode204

From Paul's Security Weekly
Jump to: navigation, search

Recorded January 22, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • RSA Conference 2019 is the place to be for the latest in cybersecurity data, innovation and thought leadership. From March 4 – 8, San Francisco will come alive with cybersecurity’s brightest minds as they gather together to discuss the industry’s newest developments. Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass!
    • If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Security News

    1. A flaw in MySQL could allow rogue servers to steal files from clients - The flaw resides in the file transfer process between a client host and a MySQL server, it could be exploited by an attacker running a rogue MySQL server to access any data that could be read by the client...A client receives file-transfer requests from the MySQL server based on the information it provides in the LOAD DATA statement. A rogue server could send a LOAD DATA LOCAL statement to the client to get access to any file for which the client has read permission.
    2. 0patch releases micropatch for Windows Contacts RCE zero-day - Help Net Security - It is difficult to trust 3rd party patches, yet here we are: 0patch is a solution that aims to fix 0days, unpatched vulnerabilities, end-of-life and unsupported products, provide patches for legacy operating systems, as well as vulnerable third party components and customized software. Users who want to implement the micropatch have to install and register the 0patch agent.
    3. State agency exposes 3TB of data, including FBI info and remote logins - Oklahoma’s Department of Securities (ODS) exposed three terabytes of files in plain text on the public internet this month, which contained sensitive data including social security numbers, details of FBI investigations, credentials for remote access to computers, and the names of AIDS patients. Researchers at security company UpGuard found the files using the Shodan search engine, which indexes internet-connected devices. In this case, they ran across an unsecured rsync server registered to ODS.
    4. Microsoft partner portal 'exposes 'every' support request filed worldwide' today - Here is a fancy way to describe a situation that Microsoft is fixing and had very little impact: Another Microsoft small biz specialist contacted us to say "Logged on to my Microsoft Partner portal to check status of a ticket I have open with them only to see lots of tickets which are not ours". With no customer details being visible, it is unlikely this embarrassing SNAFU will get MS in trouble with data protection laws or watchdogs. However, the cockup will leave the American multinational with more than a few red faces.
    5. Get in the bin: Let's Encrypt gives admins until February 13 to switch off TLS-SNI - The attack looks like this: In January 2018, Let's Encrypt discovered that validation based on TLS-SNI-01 and its planned successor TLS-SNI-02 could be abused. As we explained at the time: "A company might have investors.techcorp.com set up and pointed at a cloud-based web host to serve content, but not investor.techcorp.com. An attacker could potentially create an account on said cloud provider, and add a HTTPS server for investor.techcorp.com to that account, allowing the miscreant to masquerade as that business – and with a Let's Encrypt HTTPS cert, too, via TLS-SNI-01, to make it look totally legit.”
    6. Prioritizing Vulnerabilities Is Key to Patching Success, Report Finds
    7. How Cybercriminals Clean Their Dirty Money - Criminals are a crafty bunch sometimes: According to news accounts, criminals were booking fake Airbnb stays to launder dirty money. They used credit cards and money transfers from mule accounts to book and pay for rooms through this peer-to-peer platform. All of this is conducted online and is a very effective way to turn illicit proceeds into legitimate earnings. Plus, it has the added advantage of moving many of these payments across borders.
    8. Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems - Get updating, er, but wait, what if your update software is vulnerable? Just today, a security researcher revealed details of a critical remote code execution flaw in Linux APT, exploitation of which could have been mitigated if the software download manager was strictly using HTTPS to communicate securely. Discovered by Max Justicz, the vulnerability (CVE-2019-3462) resides in the APT package manager, a widely used utility that handles installation, update and removal of software on Debian, Ubuntu, and other Linux distributions.
    9. Beware the man in the cloud: How to protect against a new breed of cyberattack - Help Net Security - So simple: To gain access to cloud accounts, MitC attacks take advantage of the OAuth synchronisation token system used by cloud applications. The majority of popular cloud services – Dropbox, Microsoft OneDrive, Google Drive, and more – each save one of these tokens on a user’s device after initial authentication is completed. This is done to improve usability – users don’t have to enter their password every time they attempt to access an app if they have an OAuth token...Once executed on the victim’s device, this malware installs a new token (belonging to a new account that the attacker created) and moves the victim’s real token into a cloud sync folder. Then, when the victim’s device next syncs, it syncs the victim’s data to the attacker’s account instead of the victim’s.
    10. Clever Smartphone Malware Concealment Technique - Schneier on Security - This is a cat and mouse game: Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks. I'm sure you can emulate that, but can you detect the emulation of movement in an emulated environment?
    11. Attackers used a LinkedIn job ad and Skype call to breach banks defences - The attackers set up a Skype call to conduct an interview during which the individual was tricked into downloading a file called ApplicationPDF.exe, sent via a weblink, which subsequently infected the employee’s computer. There’s a technical side to what happened next which Flashpoint analyses in some detail based on what it knows about the malware used. The malware is said to have executed successfully enough that the attackers were able to explore the network for new security gaps. At some point, this was noticed and further probes were blocked. - Yes, you could block Skype, but playing wack-a-mole is a losing game. Training, awareness, secure file transfer solution, advanced endpoint security and more could have helped much better.
    12. Bug in widespread Wi-Fi chipset firmware can lead to zero-click code execution - Help Net Security - “A device manufacturer supplies appropriate firmware images and operating system device drivers, so during startup, a driver can upload firmware enabling its main functionality to the Wi-Fi SoC,” he explained. He discovered several vulnerabilities in the ThreadX proprietary firmware, but according to him the most interesting one is a block pool overflow that can be triggered without user interaction as the device scans for available networks. This vulnerability can be exploited when a Wifi device is looking for available networks, requiring no user interaction. The vulnerable chipsets are used in devices such as the Sony PlayStation 4, Microsoft Surface computers, Xbox One, Samsung Chromebooks and more.

    Expert Commentary:

    Spotting a scam: Attackers used a LinkedIn job ad and Skype call to breach bank’s defences

    One of the things I learned while working as a consultant is that people enjoy and remember a good story. They don’t get like hearing about the technical details of something; much less remember them. But they do remember a story and ones that they can recognize themselves in can have an even greater impact. So here’s a story that you can pass on to your colleagues.

    A Chilean bank named Redbanc experienced a security incident that ended up with an attacker on their internal network. The successful compromise started when the attacker created an advertisement on LinkedIn for an open developer position. A software developer at Redbanc thought that this sounded interesting and they contacted the attacker about the position. Sure enough, the attackers were interested in talking to the developer, so a video interview was set up.

    They got on Skype and started the job interview. During the process, the attacker asked the targeted developer to download a file to assist in the application process. The file was named ApplicationPDF.exe. The application allowed the victim to apply for the job. It asks the potential employee (aka victim) to enter a lot of the usual information required to apply for a job. The victim ran the exe and infected their computer system. From there, the attacker used this system to look for additional vulnerabilities and try to spread. This was noticed by Redbanc and was ultimately shut down.

    There’s some fun stuff here in this story to tell others about. First, most of us could recognize ourselves in the employee looking for a new gig. There was no phishing email here that someone responded to. They were looking for work on LinkedIn and found a job that looked cool. The request to set up a Skype interview is not unusual. I’ve worked for several different companies in the 10 years I lived in my current state and none of them were in Utah. Remote work is becoming much more common and so is using things such as Skype, Zoom, etc to conduct them.

    The interesting bit is when they ask the victim to download the exe to apply for the job. You can almost hear the explanation, “We use this internally developed app to collect applications. Can you download it to fill out the application?” The victim wants the job, so they comply. They are applying for a new job while at work! The chances of them making any report of this is almost zero! Plus it looked like it was exactly what they said it was, so what’s to report?

    This is a great story to tell in your organization. It should be on your internal employee portal/wiki/whatever. If you do awareness emails or newsletters, this should be on top. Don’t get into the technical details about it. Just tell the story, then explain the impact. The impact isn’t that the attacker deployed the PowerRatankba RAT to the system. The impact is that the victim was tricked into giving an attacker remote access to the bank. The attackers were looking for new targets to compromise and it could have been really bad if the bank’s monitoring hadn’t picked it up. Make it a story that people can retell and not feel like they are screwing up the technical details. Or get sidetracked into them. It’s stuff like this that can impact make an impact on your co-workers and improve their ability to spot a scam.

    FlashPoint's Analysis of the malicious application


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+