Recorded September 10, 2019 at G-Unit Studios in Rhode Island!
- Register for our upcoming webcasts with ISC2 by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand. Also, you can now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!
- Armed with iOS 0days, hackers indiscriminately infected iPhones for two years - This is amazing: The 14 vulnerabilities comprised seven flaws in the Webkit package used by Safari, five bugs in the iOS kernel, and two flaws that escaped a browser sandbox that attempts to keep untrusted code from interacting with sensitive parts of the OS. At least one of the five chains was still a zeroday when Project Zero discovered it early this year. The Google researchers reported those flaws to Apple on February 1 with a seven-day deadline for Apple to fix before Google publicly disclosed them. Apple responded with an unscheduled update six days later. “It feels like the amount of effort that went into the exploits is very significant,” said Charles Holmes, a managing principal research consultant who focuses on mobile security at Atredis partners. “Maintaining capabilities off of the last three years of iOS and a combination of hardware devices and firmware—a lot of time and effort went into that. My gut feels like some nation was behind maintaining that capability.”
- Google throws bug bounty bucks at mega-popular third-party apps - In a post from the Android Security & Privacy team’s Adam Bacchus, Sebastian Porst, and Patrick Mutchler , the company said that it’s throwing the security net over not just its own apps, but over all uber-popular third-party software – as in, apps that have more than 100 million installs...This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.
- How MuleSoft patched a critical security flaw and avoided a disaster | ZDNet - This is a snippet of a serious vulnerability disclosure, and even though it required extra work from customers, the way Mulesoft handled it was awesome: Everyone running an on-site Mule engine or API Gateway was getting a call to check if they received and read the email. Furthermore, Sarid said that MuleSoft had taken an unprecedented step of seeking out and talking to each company's security and DevOps departments, and not just secretaries or sales representatives. They were taking this security flaw very seriously. They wanted their message to reach the proper person in each organization, and they wanted to make sure companies installed the patches. But they didn't stop here. MuleSoft also scheduled a second wave of calls after companies installed the patches, verifying that customers followed through, and passing on additional mitigation advice.
- Jack Dorsey's Twitter account got hacked | ZDNet - Some insights into what happened: A Twitter user also pointed out that the source of all the unauthorized tweets was CloudHopper, a company Twitter acquired in 2010. CloudHopper allows users to send out tweets using SMS messages. It's unclear if hackers breached the old CloudHopper infrastructure, or if they SIM swapped Dorsey's real phone number to interact with his account via SMS.
- Attackers are exploiting vulnerable WP plugins to backdoor sites - Help Net Security - This campaign has been targeting a number of known vulnerabilities since we began tracking it, and new vulnerabilities are added to the list of targets as they’re discovered. Of particular note is a recently disclosed flaw in the Bold Page Builder plugin. On August 23rd, NinTechNet released a warning that a vulnerability had been discovered in the plugin and had been under attack since the previous day. The Wordfence firewall’s built-in XSS protection detected attacks against this vulnerability as early as August 20th.
- USBAnywhere Bugs Open Supermicro Servers to Remote Attackers - Authentication vulnerabilities in the baseboard management controllers (BMCs) of Supermicro X9-X11 servers have been discovered that allow a remote attacker to easily connect to a server and mount any virtual USB device of their choosing. The bugs, collectively dubbed USBAnywhere, allow an attacker to obtain credentials for the BMCs. Once obtained, an attacker can then perform a range of USB-based attacks against the server remotely, including data exfiltration, booting from untrusted OS images or direct manipulation of the system via a virtual keyboard and mouse, according to researchers at Eclypsium.
- Meet Domen, a New and Sophisticated Social Engineering Toolkit | SecurityWeek.Com - Sounds more like clickjacking: The basic premise is to compromise a website, usually WordPress, and use that to display an overlay (loaded as an iframe) on the viDomensitors' screens. The overlay entices visitors to install an update that really downloads the NetSupport RAT. In this it is very similar to the Fake Updates campaign described in April 2018. The campaign also has some similarities to the EITest and HoeflerText social engineering scheme reported in January 2017. In that instance, the malware payload was the ad fraud malware known as Fleercivet; but the campaign was later observed spreading the Spora ransomware.
Expert Commentary: Matt Alderman
After a slew of ransomware attacks, and pay-offs, targeted at cities and municipalities earlier this year, is the tide starting to turn?
The use of ransomware to hold cities hostage has continued to grow. But, as those affected pay the ransom, either through their insurance policies or other means, the more likely the price of future attacks will increase. However, most citizens are against local governments paying ransomware attackers. A recent study by Morning Consult on behalf of IBM found that nearly 2 in 3 respondents would prefer to pay higher repair costs and not pay a ransom rather than using taxpayer dollars to pay for a ransom. Taxpayers would rather see ransomware play out than pay up, which is exactly what cities in Texas and Massachusetts just did.
After a ransomware attack slapped a hefty payout demand of $5.3 million on New Bedford, Mass., the city announced that it is instead opting to pick up the pieces and restore what it can from backups itself. According to Mayor Jon Mitchell, only 158 computers, or 4 per cent of the more than 3,500 machines used by city employees were compromised. Unwilling to pay the $5.3M, which would have been the largest known ransom payout for an attack yet, Mitchell said he made a counter-offer of $400,000, based on cyber-insurance proceeds available to the city. When the counter-offer was rejected, the city took it's own steps by shoring up defenses, restoring from backups, and rebuilding systems.
New Bedford is not alone. The state of Texas is refusing to comply with the demands of a ransomware attack that affected 22 local governments, according to Texas Department of Information Resources (DIR) reports. Hackers managed to infiltrate the 22 local government organizations via a third-party services provider, planting ransomware that encrypted data and disrupted business-critical services. The ransom, $2.5M. But instead of paying the ransom, DIR implemented their response plan within hours of receiving notice of the event. By day four, response teams had visited all impacted sites and completed the response work at more than 25% of those sites. One week after the attack began, all sites were cleared for remediation and recovery.
Is this the new trend? Not every city or municipality will make the same decision, but with ample planning, they can have a choice. Here's a few tips for being prepared:
- Keep your systems up to date with the latest patches.
- Backup your systems, test restores from backups, and keep critical backups offsite/offline.
- Have a business continuity/disaster recovery plan, including incident response, and test it!
- Periodically test your defenses, either internally or externally via reputable testing firms