From Security Weekly Wiki
Jump to navigationJump to search

Recorded November 26, 2019 at G-Unit Studios in Rhode Island!

Episode Audio


  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Register for one of our upcoming webcasts with Bryce Shroeder and Barbara Kay of ServiceNow, Kevin O'Brien of GreatHorn, or Steve Laubenstein of Core Security (or all of them!) by going to -> Click the webcast dropdown & Select Registration! If you have missed any of our previously recorded webcasts, you can find our on-demand library by selecting on-demand from the webcast drop down! If you attend any of our webcasts, you will receive 1 CPE credit per webcast!

    Security News

    1. PoC exploit code for Apache Solr RCE flaw is available online - Configuration management is important: “If you use the default file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication.” continues the advisory” If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.” Especially when many of the tutorials I've been reading on application deployment are still storing secrets and credentials as environment variables and running applications as root.
    2. Many Apps Impacted by GIF Processing Flaw Patched Recently in WhatsApp - Tracked as CVE-2019-11932, the security flaw exists in the open source library named, which is part of the android-gif-drawable package and is used by numerous Android applications when processing GIF files. WhatsApp for Android was one of the impacted applications and Facebook patched it recently with the release of version 2.19.244. However, many other apps still use a vulnerable version of the library. To exploit the flaw against WhatsApp, an attacker would have to send a malicious GIF file to a WhatsApp user. This would automatically trigger the security bug, as soon as the application generates a preview for the file in the WhatsApp Gallery...“On Google Play alone, we found more than 3,000 applications with this vulnerability. We also found many other similar apps hosted on third-party app stores such as 1mobile, 9Apps, 91 market, APKPure, Aptoide, 360 Market, PP Assistant, QQ Market, and Xiaomi Market,”
    3. Some Fortinet products used hardcoded keys and weak encryption for communications - Security researchers from SEC Consult Vulnerability Lab discovered that multiple Fortinet products use a weak encryption cipher (“XOR” with a static key) and cryptographic keys to communicate with the FortiGuard Web Filter, AntiSpam and AntiVirus cloud services. An attacker could exploit the issues to eavesdrop on user traffic and manipulate it. The flaw discovered by SEC Consult Vulnerability Lab researchers has been tracked as CVE-2018-9195, the experts also published a proof-of-concept (PoC) code to trigger it. The PoC code is a Python 3 script that decrypts a FortiGuard message.
    4. Critical Flaws in VNC Threaten Industrial Environments - These bugs threaten any environment using VNC, which is not limited to ICS: Kasperksy found vulnerabilities not only in the client, but also on the server-side of the system; many of the latter however can only be exploited after password authentication. Across all 37 bugs, there are two main attack vectors, the firm said: “An attacker is on the same network with the VNC server and attacks it to gain the ability to execute code on the server with the server’s privileges; [or] a user connects to an attacker’s ‘server’ using a VNC client and the attacker exploits vulnerabilities in the client to attack the user and execute code on the user’s machine.” A significant number of the problems detailed in the research were found and reported last year; however, each of the projects examined also had newly discovered bugs.
    5. Twitter allows users to use 2FA without a phone number - To use the security keys users still need either text message or authenticator app, the feature is only supported on the web: “Currently we require you to have a second method along with security keys since the latter isn’t currently supported outside web. If you’d like to disable SMS, you need to also have a mobile security app. We know this might not be ideal but we’re going to keep working on it,” said Twitter security engineer Jared Miller.
    6. Smartphone maker OnePlus discloses data breach - This does not give me a warm fuzzy feeling: OnePlus says hackers gained access to past customer orders. Exposed information included details like customer names, contact numbers, emails, and shipping addresses, but not passwords or financial details, the company said. OnePlus believes the hacker's entry point was a vulnerability in its website, but did not provide any additional details. "We've inspected our website thoroughly to ensure that there are no similar security flaws," the company said.
    7. Smash-and-grab car thieves use Bluetooth to target cars containing tech gadgets - Lily Hay Newman, a staff writer at Wired, reports that a crime prevention specialist at the San Jose Police Department confirmed that thieves are using scanning apps to target vehicles containing laptops, smartphones, and tablets that are emitting Bluetooth signals. Police have not identified the precise apps being used by criminals, but according to the report they are simple to use and provide more detail than, say, the Android or iOS operating systems give when attempting to pair a device via Bluetooth:”They not only list everything they find, but provide details like what type of device they’re picking up, whether that device is currently paired to another over Bluetooth, and how close the listed devices are within a few meters. The apps are often marketed as tools for finding lost devices, like scanning for your misplaced FitBit at your in-laws’ house. But they’re dead simple to use for any purpose—and they surface many more results than your phone does on its own when looking for something to pair with in your Bluetooth settings.”

    Expert Commentary: Jason Wood, Paladin Security

    Iranian hacking crew is targeting industrial control systems

    It appears that a very active Iranian team has changed its focus over the last few months and that has caught the attention of Microsoft’s threat intelligence team. Last week at CyberWarCon, Ned Moran of Microsoft spoke about how the group known as APT33 has gone from battering up against tens of thousands of organizations to about 2,000. He covered some concerns they have about some of the companies included in this smaller group, as they include about half of the top makers of Industrial Control Systems (ICS). Moran stated that all told they are seeing attacks being made on “dozens” of ICS related companies. His concern is about what they might do with the successful penetration of these organizations.

    APT33 is not known for its subtlety or finesse. Their activities generally consist of broad attempts at password spraying at their targets. However, the narrower focus on target organizations has allowed them to increase the intensity of their attempts on them. Instead of small lists of passwords and large lists of targets, they have larger lists of passwords and a smaller list of targets. Iran is known to have destroyed systems and data during their activities. They are far from the only countries that have done this, but it apparently is something they do more often than others. Beyond this, the article in Wired does not have many details. So let’s follow along with the speculation and see what Moran thinks.

    Microsoft isn’t certain of the motivations for the attacks. However, Moran stated that "They're going after these producers and manufacturers of control systems, but I don’t think they’re the end targets. They‘re trying to find the downstream customer, to find out how they work and who uses them. They’re looking to inflict some pain on someone’s critical infrastructure that makes use of these control systems." Following his reasoning, this would be a bit of a supply chain attack. APT33 has never been implicated in actually destroying systems. Their focus has been on reconnaissance and espionage. However, Moran pointed out that they have had their “fingerprints” on intrusions that someone else followed up on with destructive attacks. Which would make sense, given the idea they are tasked with reconnaissance.

    Others, such as Adam Meyers of CrowdStrike, pointed out that even with this narrower focus, there isn’t enough out there to indicate why APT33 is behaving the way they are now. It could be to continue conducting espionage and not to get into the business of wiping out networks. Meyers pointed out that by compromising a supplier, the group could more easily pivot to energy companies. There’s more credibility in an email or software update that appears to come from your supplier. This still plays into the idea that APT33 is focused on a supply chain attack.

    So what do we do with this? Well, if you work at a company that makes ICS software, hardware, or provides ICS services, be aware that you may be under closer scrutiny by an attacker. You need to look at this information and see if you are seeing changes in how you are being attacked. If you are seeing an increase in authentication failures, then you could be being targeted with password spraying attacks. It could be APT33 knocking your doors. Put this information into the context of your organization and be a bit more vigilant.

    For the rest of us, we can play armchair general a bit and speculate on why this could be happening. One of the things that crossed my mind was the threats being made by General Hossein Salami, of Iran's Revolutionary Guard. He stated, "If you cross our red line, we will destroy you. We will not leave any move unanswered.” So if you are Iran, you have to look at what your capabilities are and those of your enemies. Can Iran do a heads up war with the United States where both sides are committed to fighting it out? No, way. Iran can certainly cause harm and kill people, but they won’t win that shooting match. However, do they have the capability to conduct destructive cyber attacks? Yes, they do. So while General Salami’s statements appear to focus on conventional war, it certainly could mean that he is including the aspect of cyber warfare. That is entirely speculation on my part.

    The point of this for us is to keep in mind that countries do have the capabilities to cause harm without blowing something up with a bomb or missile. They can and are using computer systems to be disruptive and do so with plausible deniability. Iran is under pressure right now both internally and externally. They may decide to lash out in any way they can and they have experience in this arena. It’s just part of the world we live in now.

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+