Recorded April 16, 2019 at G-Unit Studios in Rhode Island!
- Register for our upcoming webcast with ServiceNow by going to https://securityweekly.com/webcasts. If you have missed any of our previously recorded webcasts, you can find them at https://securityweekly.com/ondemand.
- You can now submit your suggestions for guests in our recently released guest suggestion form! Go to https://securityweekly.com/guests and enter your suggestions!
- We've heard from our listeners that they love our content, but the amount of content we distribute can sometimes be overwhelming. We've recently released our customizable listener interest list. Visit https://securityweekly.com/subscribe and click the button to Join the Listener List and let us know your interests.
- Apache Tomcat Patches Important Remote Code Execution Flaw - The remote code execution vulnerability, tracked as CVE-2019-0232, resides in the Common Gateway Interface (CGI) Servlet when running on Windows with enableCmdLineArguments enabled. The flaw ties the way the Java Runtime Environment (JRE) passes command line arguments to Windows.“When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disabled by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability).” wrote Mark Thomas from Apache Foundation.
- New variants of Mirai botnet detected, targeting more IoT devices - Researchers at Palo Alto Networks’ Unit 42 security research unit have published details of new samples of the Mirai botnet discovered in late February. The new versions of the botnet malware targeted Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. These processors are used on a wide range of embedded systems, including routers, networked sensors, base band radios for cellular communications and digital signal processors.The new variants also include a modified encryption algorithm for botnet communications and a new version of the original Mirai TCP SYN denial-of-service attack. Based on the signature of the new attack option, Unit 42 researchers were able to trace activity of the variants back as far as November 2018. These attacks will continue as Mirai is open-source and attacker can fly under the radar by compromising embedded systems that typically have no user present on the system or protections that detect or prevent attacks.
- Hackers used credentials of a Microsoft Support worker to access users' webmail - From MS: “We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account,” Microsoft told the victims.“This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of the other e-mail addresses you communicate with), but not eh content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.” However: But, according to a Motherboard source who purportedly witnessed the attack and screenshots he or she provided, the attackers were able to see the content of some of the affected customers’ emails. Also, that the attackers gained and kept access to the abused Microsoft’s internal customer support portal for at least 6 months.
- TicTocTrack Smartwatch Flaws Can Be Abused to Track Kids - Technology aimed at kids needs better security across the board: Researchers at Pen Test Partners revealed vulnerabilities in the watch (sold in Australia) on Monday, which could enable hackers to track children’s location, spoof the child’s location or view personal data on the victims’ accounts. The parent company of the TicTocTrack watch, iStaySafe Pty Ltd., has temporarily restricted access to the watch’s service and app while it investigates further.Researchers found that the service’s back end does not make any authorization attempt on any request – besides the user having a valid username and password combination.
- Ecuador suffered 40 Million Cyber attacks after the Julian Assange arrest - Hackivism at its finest: Javier Jara, undersecretary of the electronic government department of the telecommunications ministry, confirmed that groups linked to Julian Assange launched “volumetric attacks” that blocked access to the internet. Government websites were hit by massive DDoS attacks that isolated them from the Internet, most of the attacks targeted websites of the foreign ministry, the central bank, the president’s office, the internal revenue service, and several ministries and universities.
- Security weakness in popular VPN clients - This sounds pretty bad: So far, the issue has only been confirmed in applications from four vendors – Palo Alto, F5 Networks, Pulse Secure, and Cisco – but others could be affected.The problem is the surprisingly basic one that applications have been insecurely storing session and authentication cookies in memory or log files which renders them vulnerable to misuse. CERT/CC explains: If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.
- Open Source Tool From FireEye Automates Analysis of Flash Files - Dubbed FLASHMINGO, the framework integrates with analysis workflows as a stand-alone application, but can also be used as a library, and allows for an expansion of its functionality via custom Python plug-ins. FLASHMINGO takes advantage of the open SWIFFAS library for the parsing of SWF (Flash) files. It uses a large object named SWFObject to store information about the SWF, including a list of tags, information about methods, strings, constants and embedded binary data, and more. “It is essentially a representation of the SWF file in an easily queryable format. FLASHMINGO is a collection of plug-ins that operate on the SWFObject and extract interesting information,” FireEye explains.
Malware and Ransomware and Nation-States, Oh My!
One of the risks we run in security is that we need to keep up on the changes occurring in how the bad guys work, while still staying focused on the larger view of what we are doing. It can be very tempting to become hyper focused on a particular issue, whether you promoting the idea or debunking it. The downside of doing so is that we can lose sight of how defending against a particular issue or trend fits in with our overall defenses. This gets worse when the Pointy Haired Boss comes to us in a panic because they heard that the Elbonians are waging cyberwar against businesses.
I read two blog posts that got me thinking while preparing for today’s episode. The first was titled, “The impact of cyberwarfare” at infosecinstitute[.]com. The second post was, “Why Ransomware Continues to Be an Immensely Profitable Business for Bad Actors” on the Bitdefender blog. These posts are focused on issues that are fairly hot button topics for us and ones that it can be tempting to get tunnel vision on. After all, coming in and finding your systems are locked up with LockerGoga will ruin your week and may involve looking for a new job.
In my day job as a threat hunter, I’ve noticed that a lot of the activity we see comes down to a few scenarios playing out. Either something wasn’t patched or someone ran malware they received in email as either a download or an attachment. The attacker gains an initial foothold on a few systems this way, lurks about, and then spreads. At some point something makes it obvious that they are there. This might be a locked screen asking for BitCoin or law enforcement calling to say that they see you have a problem. So what can we do to defend ourselves and avoid becoming obsessed with the APTs in our networks?
I’m going to use ransomware as an example. First, investigate the threat you are concerned about. For ransomware, take a look at how it gets on to systems and spreads. If it comes via phishing emails, then what are we doing to defend against this? A core list of things to defend against this are:
- email filtering
- employee training
- endpoint detection
- offline backups
That’s not intended to be an exhaustive list. However, do they sound like things we normally would be addressing in infosec? Yes, they should be. Will they stop everything? No, of course not. Emails will slip through filters. Someone just has to open that phish. Hosts slip through patching. Our endpoint detection provides us with an opportunity to be notified quickly, if we are paying attention. Offline back ups will allow us to recover if we get hit and the online backups get encrypted too.
My point is that this hot button issue is already covered by things we should be focusing on. We need to look at what we are doing and adjust these controls where we need to. But I don’t need to implement a whole new line of defenses to address ransomware. I see lots of Wannacry because a 2 year old patch still hasn’t been applied. At this point, everyone should know they need to deploy patches. I don’t need to have a special Wannacry defense, I need to make sure everything is patched and do the tedious work involved in verifying that.
As you read blog posts on new trends and listen to folks like me give their opinion on what needs to be done, do some analysis on the issue and how your defenses will do against it. If you find a major gap where you don’t have a defense, then it becomes time to start looking for something to address that. Don’t let yourself get completely pulled out of your security program and try to come up with a new defense for each new threat. Keep things manageable and working within the overall program.