HNNEpisode222

From Paul's Security Weekly
Jump to: navigation, search

Recorded June 11, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Security News

    1. New Brute-Force Botnet Targeting Over 1.5 Million RDP Servers Worldwide - Not using the RDP exploit dubbed BlueKeep, but brute forcing: Dubbed GoldBrute, the botnet scheme has been designed in a way to escalate gradually by adding every new cracked system to its network, forcing them to further find new available RDP servers and then brute force them. To fly under the radar of security tools and malware analysts, attackers behind this campaign command each infected machine to target millions of servers with a unique set of username and password combination so that a targeted server receives brute force attempts from different IP addresses.
    2. Millions of machines affected by command execution flaw in Exim mail server - The flaw, which dates back to version 4.87 released in April 2016, is trivially exploitable by local users with a low-privileged account on a vulnerable system running with default settings. All that's required is for the person to send an email to "${run{...}}@localhost," where "localhost" is an existing local domain on a vulnerable Exim installation. With that, attackers can execute commands of their choice that run with root privileges. A search on BinaryEdge (a service that indexes Internet-connected devices) showed that more than 4.7 million machines are running a vulnerable Exim version. It's a good bet that a non-trivial percentage of these machines are susceptible to the attacks. Updates to version 4.92 are available here.
    3. VLC Player Gets Patched for Two High Severity Bugs - Maintainers of the popular open-source VLC media player patched two high-severity bugs Friday. The flaws were an out-of-bound write vulnerability and a stack-buffer-overflow bug. Developers behind the software, VideoLAN, said the patches were two of 33 fixes being pushed out to the media player and part of a new bug bounty program funded by European Commission. “This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the Free and Open Source Software Audit (FOSSA) program,” wrote Jean-Baptiste Kempf, president of VideoLAN and open source developer in a post outlining the patches.
    4. CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign - Experts at Trend Micro reported that the recently patched CVE-2019-2725 vulnerability in Oracle WebLogic is being exploited in cryptojacking attacks. The flaw is a deserialization remote command execution zero-day vulnerability that affects the Oracle WebLogic wls9_async and wls–wsat components. The issue affects all Weblogic versions, including the latest one, that have the wls9_async_response.war and wls-wsat.war components enabled.
    5. Tens of thousands of images stolen in US border hack - In addition to license plates pictures of people were leaked as well: CBP uses cameras at airports and land border crossings as part of a growing facial-recognition programme designed to track people entering and exiting the US. The agency said the sub-contractor in the breach had stored the images on its systems without official consent, and that CBP's own systems were not affected. The pictures were of people in vehicles entering and leaving the country via a single border entry point, which CBP did not name.
    6. Troy Hunt Looks to Sell Have I Been Pwnd - Troy states the project is too time consuming for one person and is looking to sell, we don't fault him for that in any way and knowing Troy, we are confident it will end up in good hands" Nicknaming the acquisition project “Project Svalbard” after the Arctic island location of the world’s most enormous seed bank, Hunt said he’s working with consultancy KPMG to identify potential buyers. He plans to let the process happen “organically,” he said, and there’s no timeline on it. He’s already started to have conversations with candidates, however.
    7. Microsoft Pushing for a Passwordless Windows 10 | SecurityWeek.Com - The latest release of Windows 10, version 1903, allows users to add a passwordless phone number Microsoft account to Windows and to sign-in with the Microsoft Authenticator app. Moreover, there’s the Windows Hello certified as a FIDO2 authenticator for sign-in on the web, and a streamlined Windows Hello PIN recovery above the lock screen. While this does get around many password attacks, potentially, what flaws will be revealed in these new features?
    8. Adobe Fixes Critical Flash, ColdFusion Flaws - The most severe of these exists in Adobe ColdFusion, Adobe’s commercial rapid web application development platform: “Adobe has released security updates for ColdFusion versions 2018, 2016 and 11,” according to Adobe’s release. ”These updates resolve  three critical vulnerabilities that could lead to arbitrary code execution.” These include a file extension blacklist bypass glitch (CVE-2019-7838); a command injection flaw (CVE-2019-7839); and a deserialization of untrusted data vulnerability (CVE-2019-7840).
    9. Linux Command-Line Editors Vulnerable to High-Severity Bug - a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened. Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content),” wrote Razmjou in a technical analysis of his research. Beyond patching, it’s recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” the researcher said.
    10. Near-Ubiquitous Critical Microsoft RCE Bugs Affect All Versions of Windows - Two critical Microsoft vulnerabilities, CVE-2019-1040 and CVE-2019-1019, would allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.
    11. Critical Microsoft NTLM vulnerabilities allow remote code execution on any Windows machine - Help Net Security - Here's the skinny: remove the ‘MIC’ protection and modify various fields in the NTLM authentication flow, such as signing negotiation relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution, modify NTLM messages to generate legitimate channel binding information. This allows attackers to connect to various web servers using the attacked user’s privileges and perform operations. and the patches: Microsoft has issued patches for the two bugs as part of its June Patch Tuesday Update. Full protection, however, will also require configuration changes. “The patch Microsoft will issue will not be enough to stop the described attacks,” Ziner said. “Secure configuration is needed to be fully protected, and usage of old protocol versions is still exploitable. You need to monitor traffic carefully and analyze network configuration to be 100 percent protected.

    Expert Commentary:

    Evolution of Extortion Emails Continues

    https://www.grahamcluley.com/extortion-emails/

    https://nakedsecurity.sophos.com/2019/06/11/its-a-scam-send-bitcoin-or-your-companys-reputation-is-toast/

    Tell your family, your friends, and your co-workers that the scammers have rolled out new schemes to steal thousands of dollars from their victims. No, they haven’t been hacked. No, they don’t need to call the cops. They just need to hit delete. There are two scams that I wanted to cover today. These scams were covered in the Sophos Naked Security blog and Graham Cluley's blog. The links are in the show notes.

    The first is aimed at anyone with an email account. The intended victim receives an email that claims to be from a CIA operative who is working an investigation into child porn. (Hint: this would be the FBI, not CIA) The victim has appeared in this investigation and they are trafficking in child porn! No fear though, if you send the CIA operative $10,000 in bitcoin, they will remove you from the data that has been collected! Why did the scammers pick the CIA for this? No idea, since they aren’t law enforcement. This type of investigation isn’t really their thing. Obviously, the attack could be improved by using the FBI or some other law enforcement agency.

    The second scam is aimed at web site owners, though I imagine there will be a few people who will panic over a website that they don’t actually have. The email comes in saying that they have decided to charge you roughly $2400 to avoid having your site permanently blacklisted and banned from the internet. FOREVER. How will they do this? The scammer will cause you to receive thousands of “angry complaints from angry people”. They will leave “tens of thousands” of negative reviews on your site. They will get your email account blocked for your entire lifetime due to the spamming they will do. Eventually, your domain will be removed from the internets. They won’t stop there either. You will get thousands of complaints to your mail and messengers. They will settle for nothing less than the “complete destruction of your reputation and loss of clients forever”. Recovery from this will cost you “tens of thousands of dollars”.

    To do all this, they will send 30 messages to 13,000,000 sites with offensive messages that link back to your website. They will send 300 messages to 9,000,000 email addresses with intrusive advertisements that promise a free iPhone from your web site. Finally my personal favorite, they will leave aggressive spam on forums, blogs, etc. To be sure you know they are serious, they tell you that they have 35,978,370 sites and 315,900 sites in their database! (Wouldn’t that just be 36,294,270 sites?) It sounds like they are about to end our world.

    But not really. The fix for these terrible situations is obviously the same. Hit the delete key and move on with the day. As I’ve commented on in the past, this could make a fun write up for company security awareness campaigns. Helpful advice from IT security that could matter to people’s personal lives. Using stories like this in awareness messages can help build your credibility with the business. After all, you are the person who helped them avoid being scammed a couple of months ago. Your colleagues in other departments may have more sympathetic ears as you provide security advice on a project that is being rolled out.


    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+