- 1 Paul's Security Weekly Episode #674 - November 12, 2020
- 2 1. Disrupt Attacks at the Endpoint with Attivo Networks - 06:00 PM-06:45 PM
- 3 2. Challenges With Securing Container Environments - 07:00 PM-07:45 PM
- 4 3. Cobalt Strike Leak, DNS Cache Poisoning, & Decrypting Open SSH - 08:00 PM-09:30 PM
Paul's Security Weekly Episode #674 - November 12, 2020
Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe
1. Disrupt Attacks at the Endpoint with Attivo Networks - 06:00 PM-06:45 PM
Security Weekly, in partnership with CyberRisk Alliance, is excited to present Security Weekly Unlocked on December 10, 2020. This 1 day virtual event wraps up with the 15th anniversary edition of Paul’s Security Weekly live on Youtube! Visit https://securityweekly.com/unlocked to view the agenda and register for free!
Attackers have repeatedly demonstrated that they can evade perimeter defenses to compromise a system inside the network. Once they get in, they must break out from that beachhead, conduct discovery, credential theft, lateral movement, privilege escalation, and data collection activities. Suppose they go looking for locally stored files or network shares and instead see nothing of value? What if they query Active Directory and don’t get real credentials in the responses? What if they look for ports or services to attack, and instead, their connections get redirected to systems with no value? If they can’t see and access data or accounts that move them forward, they can’t attack anything of value. Learn how deception and concealment technology can deny, detect, and disrupt attackers when they first enter the network.
This segment is sponsored by Attivo Networks.
Visit https://securityweekly.com/attivo to learn more about them!
Calculating ROI for Attivo Deception and Concealment Technology: https://attivonetworks.com/documentation/Attivo_Networks-Calculating_ROI_for_Deception_Concelament.pdf
Using a Commercial Deception Solution to Improve MITRE ATT&CK Test Results for Endpoint Security: https://go.attivonetworks.com/Improving-MITRE-test-results-endpoint-security.html
Attivo Networks MITRE Shield Mapping: https://go.attivonetworks.com/WC-MITRE-Shield-Mapping-whitepaper.html
Joseph Salazar is a veteran Information Security professional with over 20 years of both military and civilian experience. He is a retired Major from the US Army Reserves, having served 22 years as a Counterintelligence Agent, Military Intelligence Officer, and Cyber-Security Officer. He's been a Systems and Security Administrator, a CSIRT Analyst, a Security Operations Manager, and a Computer Forensic Investigator in his civilian career. He maintains the CISSP, CEH, and EnCE certifications, holds a BA in Legal Studies from UC Berkeley, and currently works for Attivo Networks as a Technical Deception Engineer.
2. Challenges With Securing Container Environments - 07:00 PM-07:45 PM
Join Amit Bareket, Co-founder & CEO of Perimeter 81 & Paul Asadoorian for a technical deep-dive into the problems inherent in legacy VPN technology. Together they will explore solutions for the modern workforce & how momentum toward perimeter-less architecture is helping redefine the future of cybersecurity. Register Now by visiting https://securityweekly.com/perimeter81
Sumedh and Badri discuss challenges associated with container Security & DevOps need for visibility into containers. Qualys' new approach to runtime security.
This segment is sponsored by Qualys.
Visit https://securityweekly.com/qualys to learn more about them!
Container Runtime Security Press Release: https://www.qualys.com/company/newsroom/news-releases/usa/qualys-adds-runtime-defense-capabilities-to-its-container-security-solution/
Container Runtime Security Technical Blog: https://blog.qualys.com/product-tech/2020/11/03/built-in-runtime-security-for-containers
Container Security webpage: https://www.qualys.com/apps/container-security/
Qualys Security Conference. https://www.qualys.com/qsc/2020/virtual/
Badri Raghunathan is a director of product management at Qualys, responsible for spearheading Qualys’ product initiatives around cloud-native infrastructure (containers, serverless). A technology entrepreneur at heart, Badri thrives on understanding customer problems, building differentiated products, and taking them to market. Badri has worked in product and engineering management roles in a variety of industries, including security, networking and consumer electronics. Most recently, Badri was a founder at an early stage cloud DevSecOps startup, and prior to that, he led cloud-based security and networking products at companies like Symantec and Cisco. Badri holds 9 U.S. patents and has several more applications in the pipeline. He holds an MBA from the University of California Berkeley, and M.S. and B.S. degrees in electrical engineering from Oklahoma State University and the University of Madras respectively.
Sumedh Thakar is President and Chief Product Officer at Qualys
As Chief Product Officer at Qualys, Sumedh oversees worldwide engineering, development and product management for the Qualys software-as-a-service (SaaS) platform and integrated suite of security and compliance applications. A core systems and database engineer, Sumedh started at Qualys in 2003, architecting and delivering Qualys' PCI compliance platform to meet the Payment Card Industry (PCI) Data Security Standard (DSS) requirements. Today, more than 69 percent of ASVs and 50 percent of QSAs worldwide use Qualys PCI to perform PCI DSS certification.
3. Cobalt Strike Leak, DNS Cache Poisoning, & Decrypting Open SSH - 08:00 PM-09:30 PM
Would you like to have all of your favorite Security Weekly content at your fingertips? Do you want to hear from Sam & Andrea when we have upcoming webcasts & technical trainings? Have a question for one of our illustrious hosts, someone from the Security Weekly team, or wish you could “hang” out with the Security Weekly crew & community? Subscribe on your favorite podcast catcher, sign up for our mailing list, and join our Discord Server to stay in the loop on all things Security Weekly! Visit: https://securityweekly.com/subscribe
In our upcoming webcasts & technical trainings, you will learn how to thwart attackers using deception & how to build a risk-based vulnerability management program! Visit https://securityweekly.com/webcasts to see what we have coming up, or visit securityweekly.com/ondemand to view our previously recorded webcasts!
In the Security News, not all cyberattacks are created equal, Google patches two more Chrome zero days, What does threat intelligence really mean, Cobalt Strike leaked source code, DNS cache poisoning is back, and Zebras & Dots!
Jeff Man's Content:
- Computer Scientists Achieve ‘Crown Jewel’ of Cryptography right up my alley
- Crystal Blockchain: Security Breaches and Fraud Involving Crypto Still High Despite Tech Development I never thought I'd post an article about blockchain...
- Map of Security Breaches and Fraud Involving Crypto 2011-2020 the full report from ^^^ above article
- ‘Security Threat’ Forces Hendrick Health to EHR Downtime Procedures whatever that means
- Capcom suffers data breach
- Phishing Attacks Are Targeting People’s Emotions; It’s Time to Leverage AI to Help AI to the rescue!!!
- Hackers steal 46 million Animal Jam user accounts and passwords
- Hospitality Cloud Platform Data Breach Caused by Misconfigured S3 Bucket
- 6 Ways to Reduce Your Cloud Attack Surface because I want my security tips in bite-sized nuggets
Larry Pesce's Content:
- Kids' gaming website Animal Jam breached after miscreants spot private AWS key on pwned Slack channel
- Zebras and Dots
- Uncovered: APT 'Hackers For Hire' Target Financial, Entertainment Firms
- We Cracked the Redactions in the Ghislaine Maxwell Deposition
- “Privacy Nutrition Labels” in Apple’s App Store
- Google patches two more Chrome zero-days
- Samy Kamkar - NAT Slipstreaming
- Unlimited Chase Ultimate Rewards Points
- PLATYPUS: With Great Power comes Great Leakage
Lee Neely's Content:
- HMRC Smishing Tax Scam Targets UK Banking Customers Information collected by the bogus pages reportedly includes victims' full names, dates of birth, home addresses, phone numbers, email addresses, passwords, credit card information, bank account information, National Insurance Numbers, passport numbers, driver's license numbers, memorable words and/or answers to security questions, and two-factor codes generated by online banking hardware devices.
- Israeli Companies Targeted with New Pay2Key Ransomware Attacks are typically conducted after midnight and the believed initial entry point for the intrusions is exploitation of weakly secured RDP services.
- Norwich, England-based housing association Flagship Group says it suffered a "Sodinokibi" ransomware attack last week that forced it to take the majority of its IT systems offline and resulted in the exposure of an unknown amount of employee and customer PII. Sodinokibi ransomware is advertised as REvil ransomware-as-a-service (RaaS) in underground forums with multiple actors claiming to use the ransomware. The RaaS is operated by the actor "UNKN" (aka "Unknown")
- Brazil's Court System Under Massive RansomExx Ransomware Attack
- Prestige Reservation Platform Exposes Millions of Hotel Guests An unsecured, misconfigured Amazon S3 bucket xposed online containing 24.4GB (10 million files) of personally identifiable information (PII) and credit card information belonging to millions of customers worldwide.
- Flaws in PcVue SCADA Product Can Facilitate Attacks on Industrial Organizations Three serious vulnerabilities affecting ARC Informatique's PcVue SCADA/HMI solution that could be exploited by attackers to take complete control over and/or disrupt industrial processes.
Paul Asadoorian's Content:
- Not all cyberattacks are created equal: What researchers learned from 103 'extreme' events - The global 2017 NotPetya attack heavily skewed that figure, accounting for 20 percent of the losses by itself.
- Rapid7 Metasploit Framework msfvenom APK Template Command Injection - Irony: This Metasploit module exploits a command injection vulnerability in Metasploit Framework's msfvenom payload generator when using a crafted APK file as an Android payload template. Affected includes Metasploit Framework versions 6.0.11 and below and Metasploit Pro versions 4.18.0 and below.
- The Sad State of Two-Factor Authentication in U.S. Banking - Neat site: https://twofactorauth.org/ (List of websites and whether or not they support 2FA.)
- Container Security Threats - Good high-level article. There is this: Least privilege: You can give different containers different sets of privileges, each minimized to the smallest set of permissions it needs to fulfill its function. There is a lot to unpack in that one sentence as there are many sets of privileges (the container user, file system permission, capabilities, AppArmor, Seccomp, etc...).
- The Security Failures of Online Exam Proctoring - Interesting: The remote proctoring industry offers a range of services, from basic video links that allow another human to observe students as they take exams to algorithmic tools that use artificial intelligence (AI) to detect cheating. But asking students to install software to monitor them during a test raises a host of fairness issues, experts say. “There’s a big gulf between what this technology promises, and what it actually does on the ground,” said Audrey Watters, a researcher on the edtech industry who runs the website Hack Education. “(They) assume everyone looks the same, takes tests the same way, and responds to stressful situations in the same way.”
- DNS cache poisoning, the Internet attack from 2008, is back from the dead - The researchers’ paper, DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels, provides a far more detailed and technical description of the attack. They call the attack SAD DNS short for Side channel AttackeD DNS. The researchers privately provided their findings to DNS providers and software developers. In response, Linux kernel developers introduced a change that causes the rate limit to randomly fluctuate between 500 and 2,000 per second. Professor Qian said the fix prevents the new technique from working. Cloudflare introduced a fix of its own. In certain cases, its DNS service will fall back to TCP, which is much more difficult to spoof.
- The Term "Threat Intelligence" is Poisoned. It Does Not Mean What You Think it Means. - You only really have to read this part: So, let’s start with Gartner’s definition of threat intelligence and go from there: “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” However, many equate this definition to external sources of threat data only. The assumption and filter is that threat intelligence equals external threat data. But what about internal data – the telemetry, content and data created by each layer in our security architecture which, by the way, is free? Re-read the Gartner definition. It does not talk about external or internal data in the definition, instead focusing on knowledge and context.
- Bugs in Critical Infrastructure Gear Allow Sophisticated Cyberattacks - They brute-forced the key! Okay, but not really, the implementation had vulnerabilities that allowed brute-forcing to be feasible: “We are able to run an exhaustive key search to identify the encryption key that is used to encrypt the hashed password used to protect the application on the PLC,” ...The brute-force effort was made possible thanks to two flaws, researchers noted: First, the random nonce and secret key used in the encryption process are exchanged in cleartext...And secondly, the seed that is used to generate the keys is only two bytes long. This means that there are only 65,535 possible combinations of seed.
- Yantra Manav A wormable SSH bot - Love it: This blog post is purely based on my learning process on creating and emulating a wormable SSH bot.
- SaltStack Salt REST API Arbitrary Command Execution - According to the advisory, an unauthenticated attacker could use shell injection to execute arbitrary code on the Salt-API via the Salt SSH client. Interestingly, the patch was pushed to SaltStack’s GitHub on August 18th, though it’s not clear why the update and details were only recently disclosed. Based on the patch details, the fix prevents Popen with shell=True in the Salt SSH client. (From: https://www.tenable.com/blog/cve-2020-16846-cve-2020-25592-critical-vulnerabilities-in-salt-framework-disclosed)
- Microsoft advises users to stop using SMS- and voice-based MFA - Help Net Security - Still better than no MFA: Last year, Weinert noted that using any form of MFA is better than relying just on a password for security, as it “significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”
- The alleged decompiled source code of Cobalt Strike toolkit leaked online - Crap: The repository has been already forked more than hundreds of times and is rapidly spreading online.
- How to get root on Ubuntu 20.04 by pretending nobodys /home - GitHub Security Lab - Best part is here: Here’s what happened: I had found a couple of denial-of-service vulnerabilities in accountsservice. I considered them low severity, but was writing them up for a vulnerability report to send to Ubuntu. Around 6pm, I stopped work and closed my laptop lid. Later in the evening, I opened the laptop lid and discovered that I was locked out of my account. I had been experimenting with the .pam_environment symlink and had forgotten to delete it before closing the lid. No big deal: I used Ctrl-Alt-F4 to open a console, logged in (the console login was not affected by the accountsservice DOS), and killed accounts-daemon with a SIGSEGV. I didn’t need to use sudo due to the privilege dropping vulnerability. The next thing I knew, I was looking at the gnome-initial-setup dialog boxes, and was amazed to discover that I was able to create a new user with administrator privileges.
- Decrypting OpenSSH sessions for fun and profit - Neat! A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory of a webserver. The modified OpenSSH binary was used as a backdoor to the system for the attackers. The customer had pcaps and a hypervisor snapshot of the system on the moment it was compromised. We started wondering if it was possible to decrypt the SSH session and gain knowledge of it by recovering key material from the memory snapshot. In this blogpost I will cover the research I have done into OpenSSH and release some tools to dump OpenSSH session keys from memory and decrypt and parse sessions in combinarion with pcaps. I have also submitted my research to the 2020 Volatility framework plugin contest.
- This new malware wants to add your Linux servers and IoT devices to its botnet | ZDNet
- Mysterious Bugs Were Used to Hack iPhones and Android Phones and No One Will Talk About It
- Computer Scientists Achieve Crown Jewel of Cryptography