HNNEpisode222

From Paul's Security Weekly
Revision as of 13:23, 11 June 2019 by Wheat Loaf (talk | contribs) (Security News)
Jump to: navigation, search

Recorded June 11, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Paul Asadoorian
    Embedded device security researcher, security podcaster, and CEO of Active Countermeasures .
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Security News

    1. New Brute-Force Botnet Targeting Over 1.5 Million RDP Servers Worldwide - Not using the RDP exploit dubbed BlueKeep, but brute forcing: Dubbed GoldBrute, the botnet scheme has been designed in a way to escalate gradually by adding every new cracked system to its network, forcing them to further find new available RDP servers and then brute force them. To fly under the radar of security tools and malware analysts, attackers behind this campaign command each infected machine to target millions of servers with a unique set of username and password combination so that a targeted server receives brute force attempts from different IP addresses.
    2. Millions of machines affected by command execution flaw in Exim mail server - The flaw, which dates back to version 4.87 released in April 2016, is trivially exploitable by local users with a low-privileged account on a vulnerable system running with default settings. All that's required is for the person to send an email to "${run{...}}@localhost," where "localhost" is an existing local domain on a vulnerable Exim installation. With that, attackers can execute commands of their choice that run with root privileges. A search on BinaryEdge (a service that indexes Internet-connected devices) showed that more than 4.7 million machines are running a vulnerable Exim version. It's a good bet that a non-trivial percentage of these machines are susceptible to the attacks. Updates to version 4.92 are available here.
    3. VLC Player Gets Patched for Two High Severity Bugs - Maintainers of the popular open-source VLC media player patched two high-severity bugs Friday. The flaws were an out-of-bound write vulnerability and a stack-buffer-overflow bug. Developers behind the software, VideoLAN, said the patches were two of 33 fixes being pushed out to the media player and part of a new bug bounty program funded by European Commission. “This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the Free and Open Source Software Audit (FOSSA) program,” wrote Jean-Baptiste Kempf, president of VideoLAN and open source developer in a post outlining the patches.
    4. CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign - Experts at Trend Micro reported that the recently patched CVE-2019-2725 vulnerability in Oracle WebLogic is being exploited in cryptojacking attacks. The flaw is a deserialization remote command execution zero-day vulnerability that affects the Oracle WebLogic wls9_async and wls–wsat components. The issue affects all Weblogic versions, including the latest one, that have the wls9_async_response.war and wls-wsat.war components enabled.
    5. Tens of thousands of images stolen in US border hack - In addition to license plates pictures of people were leaked as well: CBP uses cameras at airports and land border crossings as part of a growing facial-recognition programme designed to track people entering and exiting the US. The agency said the sub-contractor in the breach had stored the images on its systems without official consent, and that CBP's own systems were not affected. The pictures were of people in vehicles entering and leaving the country via a single border entry point, which CBP did not name.
    6. Troy Hunt Looks to Sell Have I Been Pwnd - Troy states the project is too time consuming for one person and is looking to sell, we don't fault him for that in any way and knowing Troy, we are confident it will end up in good hands" Nicknaming the acquisition project “Project Svalbard” after the Arctic island location of the world’s most enormous seed bank, Hunt said he’s working with consultancy KPMG to identify potential buyers. He plans to let the process happen “organically,” he said, and there’s no timeline on it. He’s already started to have conversations with candidates, however.
    7. Microsoft Pushing for a Passwordless Windows 10 | SecurityWeek.Com - The latest release of Windows 10, version 1903, allows users to add a passwordless phone number Microsoft account to Windows and to sign-in with the Microsoft Authenticator app. Moreover, there’s the Windows Hello certified as a FIDO2 authenticator for sign-in on the web, and a streamlined Windows Hello PIN recovery above the lock screen. While this does get around many password attacks, potentially, what flaws will be revealed in these new features?
    8. Adobe Fixes Critical Flash, ColdFusion Flaws - The most severe of these exists in Adobe ColdFusion, Adobe’s commercial rapid web application development platform: “Adobe has released security updates for ColdFusion versions 2018, 2016 and 11,” according to Adobe’s release. ”These updates resolve  three critical vulnerabilities that could lead to arbitrary code execution.” These include a file extension blacklist bypass glitch (CVE-2019-7838); a command injection flaw (CVE-2019-7839); and a deserialization of untrusted data vulnerability (CVE-2019-7840).
    9. Linux Command-Line Editors Vulnerable to High-Severity Bug - a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened. Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content),” wrote Razmjou in a technical analysis of his research. Beyond patching, it’s recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” the researcher said.
    10. Near-Ubiquitous Critical Microsoft RCE Bugs Affect All Versions of Windows - Two critical Microsoft vulnerabilities, CVE-2019-1040 and CVE-2019-1019, would allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.
    11. Critical Microsoft NTLM vulnerabilities allow remote code execution on any Windows machine - Help Net Security - Here's the skinny: remove the ‘MIC’ protection and modify various fields in the NTLM authentication flow, such as signing negotiation relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution, modify NTLM messages to generate legitimate channel binding information. This allows attackers to connect to various web servers using the attacked user’s privileges and perform operations. and the patches: Microsoft has issued patches for the two bugs as part of its June Patch Tuesday Update. Full protection, however, will also require configuration changes. “The patch Microsoft will issue will not be enough to stop the described attacks,” Ziner said. “Secure configuration is needed to be fully protected, and usage of old protocol versions is still exploitable. You need to monitor traffic carefully and analyze network configuration to be 100 percent protected.

    Expert Commentary:

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+