HNNEpisode217

From Paul's Security Weekly
Jump to: navigation, search

Recorded May 7, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Security News

    1. Pre-Installed Software Flaw Exposes Most Dell Computers to Remote Hacking - If the victim has the Dell SupportAssistant softare installed, it can be exploited by visiting a malicious site in a web browser. All of the PoC code is available, including a demo video. Dell has patched the issue, describing the vulnerability as follows: "An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites," Multinational computer technology company Dell said in an advisory. Pre-installed software from your hardware vendor tends to contain vulnerabilities as we've covered many of this same type and class over the years. I always prefer to do a clean install of the OS, and highly recommend that you do the same.
    2. Israel Neutralizes Cyber Attack by Blowing Up A Building With Hackers - This will make folks think twice about hacking other countries, especially Isreal: The Israel Defense Force (IDF) claims to have neutralized an "attempted" cyber attack by launching airstrikes on a building in Gaza Strip from where it says the attack was originated.As shown in a video tweeted by IDF, the building in the Gaza Strip, which Israeli fighter drones have now destroyed, was reportedly the headquarters for Palestinian Hamas military intelligence, from where a cyber unit of hackers was allegedly trying to penetrate Israel's cyberspace.
    3. High-Severity PrinterLogic Flaws Allow Remote Code Execution - It seems there is no interest from the vendor to fix these flaws: PrinterLogic’s Print Management software allows businesses to deploy and use remote printers. Unfortunately, it has three flaws, which could allow an unauthenticated, remote attacker to remotely execute arbitrary code with admin privileges. No patch is currently available, according to an advisory. “PrinterLogic versions up to and including 18.3.1.96 are vulnerable to multiple attacks,” according to a Friday advisory. “The PrinterLogic agent, running as SYSTEM, does not validate the PrinterLogic Management Portal’s SSL certificate, validate PrinterLogic update packages or sanitize web browser input.”
    4. Expert found hundred of vulnerable Jenkins Plugins - It may be some time before we see security maturity develop for DevOps toolschain utilities and software: Viktor Gazdag NCC Group Security Consultant has manually tested hundreds of Jenkins plugins and discovered security flaws in over 100 of them. Jenkins plugins allow to implement additional functionalities like Active Directory authentication or solve reoccurring tasks such as executing a static code analyser or copying a compiled software to a CIFS share. Most of the issues are password storage in plain text, and cross-site request forgery (CSRF) issues with missing permission checks that could be exploited by attackers steal credentials.
    5. Mysterious attacks wipe Git repositories and ask a ransom to rescue code - And speaking of securing your DevOps environments, authentication is "key": Experts believe the ransomware is targeting poorly secured repositories and doesn’t seem to exploit specific vulnerabilities in Git repositories. The victims reported that the ransom note includes a reference to gitsbackup[dot]com, crooks are demanding about $560 worth of Bitcoin. “I was working on a project and suddenly all the commits disappeared and were replaced with a single text file.” Stefan Gabos that was using SourceTree (3.1.3) , wrote on Stackexchange. “To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address
    6. A bug in Mirai code allows crashing C2 servers - Irony is that Mirai contains a buffer overflow condition due to lack of proper bounds checking: The expert pointed out that a Mirai C2 server crashes when someone connects it using as username a sequence of 1025+ “a” characters. Analyzing a part of the Mirai source code available on Github the experts noticed that the username is passed to the Readline custom function. This function declares a fixed buffer size length of 1024, for this reason, providing an input greater than 1024 will cause the module crashes.
    7. An attempt to phish my Amazon Web Services account - Warn your users not to fall for this stuff as its pretty easy to spot: Most of the phishing emails I see are fairly rudimentary, often targeting users of the same-old websites (Facebook, Apple, PayPal, etc…) or a variety of online banks. It’s not that unusual for the emails to be less than convincing. What I don’t remember receiving before is an email purporting to come from Amazon Web Services (AWS), claiming that unless I confirm I have given my correct contact information for a domain’s WHOIS record, a website I administer could be suspended.
    8. Researchers discover highly stealthy Microsoft Exchange backdoor - Help Net Security - LightNeuron – as the backdoor has been dubbed by ESET researchers – is remotely controlled via emails using steganographic PDF and JPG attachments and is believed to have been used by the Turla cyber espionage group...“Microsoft Exchange allows extending its functionalities using Transport Agents that can process and modify all email messages going through the mail server. Transport Agents can be created by Microsoft, third-party vendors, or directly within an organization,” the researchers explained.As mentioned before, the backdoor can block emails, modify their body, recipient and subject, created a new email, replace attachments, and re-create and re-send the email from the Exchange server to bypass the spam filter. It can create email and attachment logs, encrypt emails and store then, and parse JPG/PDF attachments and decrypt and execute the commands found in them.

    Expert Commentary:

    Japan is developing a computer virus to fight cyberattacks, claim reports

    I ran into this post by Graham Clulely last week and thought it was it was interesting to read. Then today I found another post, this time at ZDnet, discussing Japan’s decision to create “defensive” malware to use as a deterrence against attacking the country. Is it one tool or a set of tools? The information available doesn’t explicitly say. However, they use the terms virus, backdoor, and malware. That seems to indicate a set of tools. If nothing else, the flexibility to respond in different situations would indicate a set of tools, even if they fall under a single named suite of applications.

    ZDnet’s blog post focuses mainly on the program to create the tools. Briefly, it/they are being created by contractors for the Japanese government and is expected to be completed by the end of this fiscal year. The tools are not supposed to be used in offensive operations and only be deployed in a “counterattack” to an intrusion. Would the tools be a worm that self-replicates? No idea. That information isn’t available at this point.

    Graham’s post asks a number of good questions about the use of this tool. This is primarily where my thoughts went when I read the posts. My first question is how the heck do you control it if it turns out to be self-replicating? If it is, then unintended consequences seem likely if it is deployed. Pivoting through other systems not owned by the attacker is common. What happens if Japan deploys this and infects a business in Japan? Or worse, infects a company in a country that doesn’t like Japan very much? How will that play out in the relations between the countries? Will the other country retaliate because they got unexpectedly hit? It’s not hard to imagine a scenario where Japan decides to counter attack and gets the computer(s) in the middle and misses the attacker entirely.

    The articles mention that this is intended as a deterrence against computer attacks made on Japan. Will it have this effect? I think the answer is probably not. At least it hasn’t appeared to be a deterrence in countries like the US, UK, Russia, China, etc. All of these countries maintain capabilities in this area and attacks are occurring left and right.

    I also have to wonder at how the decision will be made to deploy the tools. Who has the authority to give approval for a counterattack? How will politics impact that decision? Would it even be made in a timely enough fashion (if it was effective at all) to even be relevant to the attack? Or is it made after the intrusion from other infrastructure? I could see this being a more likely scenario. Japan decides to go after the attackers and a host of other organizations become involved. Forensics gathers information about the attack and forwards it to Intelligence. Intel identifies probable perpetrators and sends that information to Japan’s attack team. They then execute the attack in response to the initial intrusion. Of course, I could be totally wrong and they plan on deploying it on the victim’s systems during the middle of the attack.

    Anyhow, the interesting thing here is how governments are starting to openly recognize responding to intrusions with intrusions of their own. In this case, it is staying limited to computer systems being attacked. Israel just responded to Hamas attacking via computers with bombs. The US used a drone strike to kill the person leading ISIL’s group of attackers. In the end, computer attacks by countries are being responded to in kind and sometimes with conventional military responses.

    Japanese government to create and maintain defensive malware

    In a first, Israel responds to Hamas hackers with an air strike


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+