BuzzSec

Originally Aired on June 28, 2021 Articles discussed in this episode: 00:00 – PreShow Banter™ — Way West Recap06:38 – Story 1 : https://ift.tt/363xru3 – Story 2 : https://ift.tt/3jqnz5w – Story 3 : https://ift.tt/2TezxEJ – Story 4 : https://ift.tt/3AhrxDh – Story 5 : https://ift.tt/3jqnIG6 – Story 6 : https://ift.tt/3Aipb7a – Story 7 : https://ift.tt/3hmQ6WT – […] The post Talkin’ About Infosec News – 6/28/2021 appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/talkin-about-infosec-news-6-28-2021/

IPO is the highest valued in cybersecurity history, according to reports. from Dark Reading: https://www.darkreading.com/endpoint/sentinelone-starts-trading-on-nyse-raises-$12b-in-ipo/d/d-id/1341452?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

A previously unknown flaw in Western Digital's older network-attached storage systems allowed unauthenticated commands to trigger a factory reset, formatting the hard drives, says the company after its preliminary investigation. from Dark Reading: https://www.darkreading.com/attacks-breaches/mybook-investigation-reveals-attackers-exploited-legacy-zero-day-vulnerabilities/d/d-id/1341440?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

"Indexsinas" is the latest threat designed to exploit Windows servers that remain vulnerable to an NSA-developed exploit Microsoft patched more than four years ago. from Dark Reading: https://www.darkreading.com/endpoint/smb-worm-targeting-eternalblue-vuln-spreads-to-us/d/d-id/1341445?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A previously unknown flaw in Western Digital's older network-attached storage systems allowed unauthenticated commands to trigger a factory reset, formatting the hard drives, says the company after its preliminary investigation. from Dark Reading: https://www.darkreading.com/attacks-breaches/mybook-investigation-reveals-attackers-exploited-legacy-0-day-vulnerabilities/d/d-id/1341440?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Imagine waking up each morning knowing the identities of thousands of people who are about to be mugged for thousands of dollars each. You know exactly when and where each of those muggings will take place, and you’ve shared this information in advance with the authorities each day for a year with no outward indication that they are doing anything about it. How frustrated would you be? A counterfeit check image [redacted] that was intended for a person helping this fraud gang print and mail phony checks tied to a raft of email-based scams. One fraud-fighting group is intercepting hundreds to thousands of these per day. Such is the curse of the fraud fighter known online by the handles “ Brianna Ware ” and “ BWare ” for short, a longtime member of a global group of volunteers who’ve infiltrated a cybercrime gang that disseminates counterfeit checks tied to a dizzying number of online scams. For the past year, BWare has maintained contact with an insider from the criminal group that

700 Million LinkedIn user’s personal details were posted for sale earlier this month, putting 92% of their userbase at risk of social engineering and spear phishing attacks. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/almost-all-linkedin-users-data-has-been-scraped-and-is-up-for-sale-on-the-dark-web

As part of Business Email Compromise attacks, spear phishing now plays a material role, with impersonation sitting firmly at the core of their social engineering tactics… in more ways than one. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/spear-phishing-impersonation-attacks-take-on-new-tactics-to-become-more-convincing-and-effective

A new report finds IT, healthcare, and manufacturing are the industries most targeted by phishing emails. from Dark Reading: https://www.darkreading.com/attacks-breaches/impersonation-becomes-top-phishing-technique/d/d-id/1341443?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The self-propagating malware's attack chain is complex, using former NSA cyberweapons, and ultimately drops cryptominers on targeted machines. from Threatpost https://threatpost.com/indexsinas-smb-worm-enterprises/167455/

Apple security expert Patrick Wardle found that some macOS malware written for the new M1 processor can bypass anti-malware tools. from Dark Reading: https://www.darkreading.com/endpoint/attackers-already-unleashing-malware-for-apple-macos-m1-chip/d/d-id/1341442?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Editor’s Note : The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.  Background Businesses and organizations use content management systems (CMS) and web hosting control panels to simplify the management of websites and deliver improved functionality for site visitors. CMS control panels allow content managers to manage the site at the web application level, such as adding a shopping cart extension for e-commerce functionality. Web hosting control panels are interfaces that allow administrators to manage their web servers and hosted services. In essence, access to a site’s CMS control panel allows cybercriminals to inject digital skimmers, potentially access payment card data from previous stored transactions, and access CMS user account information, whereas access to web hosting control panels enables cybercriminals to perform the aforementioned activity and potentially conduct more intrusive activi

The VPN service allegedly provided a means for cybercriminals to target their victims, Europol officials report. from Dark Reading: https://www.darkreading.com/endpoint/intl-law-enforcement-operation-takes-down-doublevpn/d/d-id/1341439?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/cisas-cset-tool-sets-sights-ransomware-threat

On June 8, 2021, Microsoft released an advisory and patch for CVE-2021-1675 (“PrintNightmare”), a critical vulnerability in the Windows Print Spooler. Although originally classified as a privilege escalation vulnerability, security researchers have demonstrated that the vulnerability allows authenticated users to gain remote code execution with SYSTEM-level privileges. On June 29, 2021, as proof-of-concept exploits for the vulnerability began circulating, security researchers discovered that CVE-2021-1675 is still exploitable on some systems that have been patched. As of this writing, at least 3 different proof-of-concept exploits have been made public . Rapid7 researchers have confirmed that public exploits work against fully patched Windows Server 2019 installations. The vulnerable service is enabled by default on Windows Server, with the exception of Windows Server Core. Therefore, it is expected that in the vast majority of enterprise environments, all domain controllers, even

Ensuring the CISO's voice is heard by the board will make security top of mind for the business, its employees, and their customers. from Dark Reading: https://www.darkreading.com/risk-management/3-things-every-ciso-wishes-you-understood/a/d-id/1341379?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Without a top-notch team to stop attackers, our favorite modes of transportation could come to a screeching halt. from Dark Reading: https://www.darkreading.com/edge/theedge/7-skills-the-transportation-sector-needs-to-fuel-its-security-teams/b/d-id/1341438?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Kerry Matre, senior director at Mandiant, discusses the appropriate metrics to use to measure SOC and analyst performance, and how MTTR leads to bad behavior. from Threatpost https://threatpost.com/mttr-bad-secops/167440/

Threat actors may have been duking it out for control of the compromised devices, first using a 2018 RCE, then password-protecting a new vulnerability. from Threatpost https://threatpost.com/zero-day-wipe-my-book-live/167422/

The "PrintNightmare" bug may not be fully patched, some experts are warning, leaving the door open for widespread remote code execution attacks. from Threatpost https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/

On June 29, 2021, security researcher Michael Stepankin ( @artsploit ) posted details of CVE-2021-35464 , a pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. ForgeRock front-ends web applications and remote access solutions in many enterprises. ForgeRock has issued Security Advisory #202104 to provide information on this vulnerability and will be updating it if and when patches are available. The weakness exists due to unsafe object deserialization via the Jato framework , with a disturbingly diminutive proof of concept that requires a single GET / POST request for code execution: GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=<serialized_object> ForgeRock versions below 7.0 running on Java 8 are vulnerable and the weakness also exists in unpatched versions of the Open Identify Platform’s fork of OpenAM . ForgeRock/OIP installations running on Java 9 or higher are unaffected. As of July 29,

Security experts share their observations of the past year in cybersecurity M&A, highlighting key trends and notable deals. from Dark Reading: https://www.darkreading.com/endpoint/9-hot-trends-in-cybersecurity-mergers-and-acquisitions/d/d-id/1341375?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Compliance-only security strategies aren't working. CISOs should squarely focus on being secure while achieving compliance. from Dark Reading: https://www.darkreading.com/risk/is-compliance-only-security-giving-cybercriminals-your-security-playbook/a/d-id/1341370?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A GAO report finds government agencies are using the technology regularly in criminal investigations and to identify travelers, but need stricter management to protect people’s privacy and avoid inaccurate identification from Threatpost https://threatpost.com/feds-manage-facial-recognition-privacy-concerns/167419/

The Open Source Vulnerability schema supports automated vulnerability handling in Go, Rust, Python, and Distributed Weakness Filing system, and it could be the favored format for future exporting of data. from Dark Reading: https://www.darkreading.com/vulnerabilities---threats/vulnerability-management/google-updates-vulnerability-data-format-to-support-automation/d/d-id/1341437?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Premiums have gone up by 7% on average for small firms and between 10% and 40% for medium and large businesses. from Dark Reading: https://www.darkreading.com/risk/ransomware-losses-drive-up-cyber-insurance-costs/d/d-id/1341436?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The return to offices, coupled with uninformed users (including IT pros) has teed up an unprecedented risk of enterprise attack. from Threatpost https://threatpost.com/users-clueless-cybersecurity-risks-study/167404/

Organizations often focus on promoting best practices, CISA says, but stopping poor security practices is equally important. from Dark Reading: https://www.darkreading.com/risk/cisa-publishes-catalog-of-poor-security-practices/d/d-id/1341435?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Starting a new job at a new company can be daunting, particularly during a global pandemic. With interviews via Zoom, onboarding gone remote, first days at home instead of in a brand new office, and so many other shifts since the onset of the pandemic, switching jobs and companies is probably not something most would even consider. While this may seem to be the case for many, we’ve welcomed many new employees to our team around the globe since March 2020! Interested in learning why these individuals chose to make a job change during these uncertain times and how Rapid7 made the decision a no-brainer? Read on to find out from a few of our Belfast-based Software Engineers! Thomas Franklin, Software Engineer II, Joined Rapid7 September 2020 Lauren Quinn, Software Engineer II, Joined Rapid7 November 2020 Danielle Topping, Senior Software Engineer, Joined Rapid7 September 2020 Niall O’Hagan, Lead Software Engineer, Joined Rapid7 January 2021 Q: Where did you hear about Ra

Survey data reveals many people have never heard of major cyberattacks, including the attack targeting Colonial Pipeline. from Dark Reading: https://www.darkreading.com/attacks-breaches/survey-data-reveals-gap-in-americans-security-awareness/d/d-id/1341434?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Disguised as an invoice, cybercriminals use a Windows-supported disk image to obfuscate malware from email gateways and security scanners. The question is how viable will it be? from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/yet-another-disk-image-file-format-spotted-in-the-wild-used-to-deliver-malware

With the bad guys looking for the fastest means to get from attack to a big payout, BEC tactics are shifting tactics to adjust to organizations being better prepared. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/35-of-all-security-incidents-are-business-email-compromise-phishing-attacks

Addressing the complexity of modern distributed software development is one of the most important things we can do to decrease supply chain risk. from Dark Reading: https://www.darkreading.com/endpoint/technologys-complexity-and-opacity-threaten-critical-infrastructure-security/a/d-id/1341368?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The bug in Edge's auto-translate could have let remote attackers pull off RCE on any foreign-language website just by sending a message with an XSS payload. from Threatpost https://threatpost.com/microsoft-edge-browser-uxss-attacks/167389/

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/06/29/cisa-begins-cataloging-bad-practices-increase-cyber-risk

I'm not sure why this is not all over the press. Bloomberg picked up on this though. A pair of South African brothers have vanished, along with Bitcoin worth $3.6 billion from their cryptocurrency investment platform. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/eye-opener-the-biggest-bitcoin-heist-ever-a-whopping-3.6-billion-dollars

Over at Lawfare, Susan Landau has an excellent essay on the risks posed by software used to collect evidence (a Breathalyzer is probably the most obvious example). Bugs and vulnerabilities can lead to inaccurate evidence, but the proprietary nature of software makes it hard for defendants to examine it. The software engineers proposed a three-part test. First, the court should have access to the “Known Error Log,” which should be part of any professionally developed software project. Next the court should consider whether the evidence being presented could be materially affected by a software error. Ladkin and his co-authors noted that a chain of emails back and forth are unlikely to have such an error, but the time that a software tool logs when an application was used could easily be incorrect. Finally, the reliability experts recommended seeing whether the code adheres to an industry standard used in an non-computerized version of the task (e.g., bookkeepers always record every

Using multifactor authentication is an excellent security step, but like everything else, it is not foolproof and will never be 100% effective. from Dark Reading: https://www.darkreading.com/endpoint/3-ways-cybercriminals-are-undermining-mfa/a/d-id/1341341?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cyberheistnews-vol-11-25-heads-up-attackers-abuse-your-google-docs-with-a-new-phishing-angle

Unlike traditional phishing emails that simply attach or link to a malicious file, a new scam from cybercriminal group BazaCall makes victims call in and be instructed to download the malware. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/new-phishing-attack-adds-a-call-center-step-to-get-you-to-download-malware

Despite organizational leadership believing cyber security initiatives can support business goals, the way businesses approach cybersecurity seems to prove otherwise. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cybersecurity-and-business-priorities-dont-appear-to-be-aligning-and-thats-bad-for-your-security-stance

A phishing campaign is using Windows Imaging Format (WIM) files to deliver malware, according to researchers at Trustwave. WIM files aren’t commonly thought of as potentially malicious, so they’re more likely to bypass security filters. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/an-unusual-attachment-is-most-likely-a-phishing-campaign

Introduction Using and abusing the BITS service is a lot of fun. I can’t believe Windows just gives away this hacker tool for free. But wait, wait, are you telling me that there’s more? Does it come with a free blender? What else can this service do for me? In the last installment, we covered the Background Intelligent Transfer Service (BITS) and how you can use this service and its corresponding utility, bitsadmin [1] , to Live Off the Land [2] . Go back and review BITS for Script Kiddies ( https://www.trustedsec.com/blog/bits-for-script-kiddies/ ) if you want more details, but in essence, BITS is a service provided by the Windows operating system to transfer files. It allows the user to download and upload files, and it is used by the operating system for downloading Windows updates. This service can be used with the command line utility, PowerShell cmdlets, or a COM interface [3] . Previously, we looked at how to Live Off the Land using BITS instead of uploading (and possibly c

Disclosure of a bug in Adobe’s content-management solution - used by Mastercard, LinkedIn and PlayStation – were released. from Threatpost https://threatpost.com/rce-bug-in-adobe-revealed/167382/

The legit security tool has shown up 161 percent more, year-over-year, in cyberattacks, having “gone fully mainstream in the crimeware world.” from Threatpost https://threatpost.com/cobalt-strike-cybercrooks/167368/

After 500 million LinkedIn enthusiasts were affected in a data-scraping incident in April, it's happened again - with big security ramifications. from Threatpost https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/

Rogue driver was distributed within gaming community in China, company says. from Dark Reading: https://www.darkreading.com/endpoint/microsoft-refining-third-party-driver-vetting-processes-after-signing-malicious-rootkit/d/d-id/1341420?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The company suspects a remote code execution vulnerability affecting My Book Live and My Book Live Duo devices and recommends that business and individual users turn off the drives to protect their data. from Dark Reading: https://www.darkreading.com/attacks-breaches/attacks-erase-western-digital-network-attached-storage-drives/d/d-id/1341419?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A survey from GSMA and Trend Micro shows a concerning lack of security capabilities for private 5G networks (think factories, smart cities, industrial IoT, utilities and more). from Threatpost https://threatpost.com/mobile-operators-5g-security-vulnerabilities/167354/

A vulnerability in NVIDIA’s GeForce Experience software opens the door to remote data access, manipulation and deletion. from Threatpost https://threatpost.com/nvidia-high-severity-geforce-spoof-bug/167345/

The legislation requires the National Telecommunications and Information Administration to establish a cybersecurity literacy campaign. from Dark Reading: https://www.darkreading.com/attacks-breaches/new-house-bill-aims-to-drive-americans-security-awareness/d/d-id/1341418?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The company attributes the attack to Nobelium, the same group it linked to the SolarWinds campaign earlier this year. from Dark Reading: https://www.darkreading.com/endpoint/microsoft-tracks-attack-campaign-against-customer-support-agents/d/d-id/1341416?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

American IT companies and government have been targeted by the Nobelium state-sponsored group.   from Threatpost https://threatpost.com/russian-attackers-breach-microsoft/167340/

What if insurers were to offer companies an incentive -- say, a discount -- for better protecting themselves? from Dark Reading: https://www.darkreading.com/edge/theedge/an-interesting-approach-to-cyber-insurance/b/d-id/1341413?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Experts discuss the meaning of action bias and how it presents a threat to IT security leaders, practitioners, and users. from Dark Reading: https://www.darkreading.com/careers-and-people/the-danger-of-action-bias-is-it-always-better-to-act-quickly/d/d-id/1341415?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Executive Summary In mid-May 2021, Insikt Group reported that a further 11 organizations were likely targeted by the same DarkSide affiliate that had compromised Colonial Pipeline. Substantial network communications matching a Recorded Future heuristic behavioral signature were observed on April 27 from 9 of these organizations to a Cobalt Strike command and control (C2) server (176.123.2[.]216) that was used in the operation to target Colonial Pipeline. Insikt Group tracks this ransomware-as-a-service (RaaS) affiliate and its activities internally as TAG-21. In the two weeks after these organizations were first targeted, 5 of those 9 organizations were also communicating with suspected WellMess and Sliver C2s. Recorded Future Network Traffic Analysis (NTA) confirmed that over 35 entities across multiple verticals and geographies, including Fortune 500 companies, were communicating with the same suspected C2 infrastructure, indicating potential compromise. Almost all of the targete