Posts

Showing posts from July, 2021

Schneier - Friday Squid Blogging: Squid Skin Is Naturally Anti-microbial

Often it feels like squid just evolved better than us mammals. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2021/07/friday-squid-blogging-squid-skin-is-naturally-anti-microbial.html

Threat Post - NSA Warns Public Networks are Hacker Hotbeds

Agency warns attackers targeting teleworkers to steal corporate data. from Threatpost https://threatpost.com/nsa-warns-public-networks-are-hacker-hotbeds/168268/

Rapid 7 - Metasploit Wrap-Up

Image
New Olympic Discipline: Hive Hunting This week, community contributor Hakyac added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers @jonasLyk and Kevin Beaumont ). The rules are simple: You need to abuse a flaw in Windows 10 and 11 configuration to pass through the defense and access Security Account Manager (SAM) files. Any local unprivileged player is able to read this sensitive security information, such as hashes of user/admin passwords. The best strategy to win a gold medal is to start abusing Windows Volume Shadow Copy Service (VSS) to access these files and copy them locally. Finally, you just need to dump the NTLM hashes, use them in a pass-the-hash attack and score with a remote code execution. Note that Microsoft issued an out-of-band advisory and tracked this vulnerability as CVE-2021-36934 . You can find more information about the rules in this blog post . Happy Hive hunting! Gold Medal for Ne...

Schneier - I Am Parting With My Crypto Library

The time has come for me to find a new home for my (paper) cryptography library. It’s about 150 linear feet of books, conference proceedings, journals, and monographs — mostly from the 1980s, 1990s, and 2000s. My preference is that it goes to an educational institution, but will consider a corporate or personal home if that’s the only option available. If you think you can break it up and sell it, I’ll consider that as a last resort. New owner pays all packaging and shipping costs, and possibly a purchase price depending on who you are and what you want to do with the library. If you are interested, please email me. I can send photos. from Schneier on Security https://www.schneier.com/blog/archives/2021/07/i-am-parting-with-my-crypto-library.html

Threat Post - Novel Meteor Wiper Used in Attack that Crippled Iranian Train System

A July 9th attack disrupted service and taunted Iran’s leadership with hacked screens directing customers to call the phone of Iranian Supreme Leader Khamenei with complaints. from Threatpost https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/

KnowBe4 - Visit KnowBe4 at Black Hat USA 2021 - Virtual & In Person Event

Image
Are you attending  Black Hat USA 2021  (either in person or virtually) ? Be sure to stop by the   KnowBe4 booth   August 4th - 5th   to find out how to secure your last line of defense: USERS. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/visit-knowbe4-at-black-hat-usa-2021-virtual-in-person-event

US-CERT - NSA Releases Guidance on Securing Wireless Devices While in Public

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/07/30/nsa-releases-guidance-securing-wireless-devices-while-public

KnowBe4 - Two of the Most Common and Successful Ransomware Attack Methods are Exposed

Image
Researchers at Coveware recently analyzed ransomware attacks during Q2 of this year and noticed a similar trend in ransomware attack methods by cybercriminals. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/two-of-the-most-common-and-successful-ransomware-attack-methods-are-exposed

KnowBe4 - Ransomware Attacks This Year Are Already Higher Than 2020

Image
According to the 2021 Cyber Threat Report by SonicWall, 304.7 million ransomware attacks occured in the first half of 2021, already surpassing the total number of ransomware attacks for all of 2020 with 304.6 million (a 151% increase YTD). from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/ransomware-attacks-this-year-are-already-higher-than-2020

Recorded Future - “Beijing One Pass” Employee Benefits Software Exhibits Spyware Characteristics

Image
Editor’s Note : The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF. Executive Summary A Recorded Future client provided information to Insikt Group relating to a potential security incident triggered by a software application called “Beijing One Pass”. This Chinese government-backed application enables access to state benefits information and was downloaded by employees of the Recorded Future client after they were informed that paper copies of the information would no longer be available. Insikt Group independently verified that the installed application exhibits characteristics consistent with potentially unwanted applications (PUA) and spyware. The software is associated with the Beijing Certificate Authority (北京数字认证股份有限公司), which is a Chinese state-owned enterprise (BJCA, www.bjca[.]cn).  Some notable suspicious behaviors relate to several dropped files and subsequent processes initiated from the prim...

US-CERT - CISA Announces Vulnerability Disclosure Policy (VDP) Platform

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/07/30/cisa-announces-vulnerability-disclosure-policy-vdp-platform

Black Hills InfoSec - What To Know About Microsoft’s Registry Hive Flaw: #SeriousSAM

Image
#hivenightmare / #lolwut Jeff McJunkin* // What is it? tl;dr — Unpatched privilege escalation in Windows 10 in nearly all supported builds. The vulnerability (CVE-2021–36934) allows an attacker with limited user code execution on Windows 10 (or 11) to gain administrative privileges locally, allowing any of the following follow-on attacks: Stealing credential material for any […] The post What To Know About Microsoft’s Registry Hive Flaw: #SeriousSAM appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/what-to-know-about-microsofts-registry-hive-flaw-serioussam/

KnowBe4 - Happy 22nd Annual SysAdmin Day from KnowBe4!

Image
It’s the 22nd annual SysAdmin Day, a day when we celebrate all of the incredible System Administrators! While your job may not be easy (and sometimes not glamorous), your work on the maintenance of your company's computer operations should definitely be celebrated. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/happy-22nd-annual-sysadmin-day-from-knowbe4

Schneier - Storing Encrypted Photos in Google’s Cloud

New paper: “ Encrypted Cloud Photo Storage Using Google Photos “: Abstract: Cloud photo services are widely used for persistent, convenient, and often free photo storage, which is especially useful for mobile devices. As users store more and more photos in the cloud, significant privacy concerns arise because even a single compromise of a user’s credentials give attackers unfettered access to all of the user’s photos. We have created Easy Secure Photos (ESP) to enable users to protect their photos on cloud photo services such as Google Photos. ESP introduces a new client-side encryption architecture that includes a novel format-preserving image encryption algorithm, an encrypted thumbnail display mechanism, and a usable key management system. ESP encrypts image data such that the result is still a standard format image like JPEG that is compatible with cloud photo services. ESP efficiently generates and displays encrypted thumbnails for fast and easy browsing of photo galleries from...

Threat Post - UC San Diego Health Breach Tied to Phishing Attack

Employee email takeover exposed personal, medical data of students, employees and patients. from Threatpost https://threatpost.com/uc-san-diego-health-breach/168250/

KnowBe4 - Scammers Use Milanote App to Host Phishing Content and Avoid Detection by Secure Email Gateways

Image
The “Evernote for creatives” collaborative platform is being used to legitimately host malicious links that point victims to phishing links, bypassing detection mechanisms. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/scammers-use-milanote-app-to-host-phishing-content-and-avoid-detection-by-secure-email-gateways

Threat Post - CISA’s Top 30 Bugs: One’s Old Enough to Buy Beer

There are patches or remediations for all of them, but they're still being picked apart. Why should attackers stop if the flaws remain unpatched, as so many do? from Threatpost https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/

KnowBe4 - The World’s Most Impersonated Brand in Phishing Attacks Is… (and it’s NOT Microsoft!)

Image
Despite so much news surrounding phishing attacks pretending to be from Microsoft’s Office 365 platform, a new report from Vade Secure provides a global perspective to impersonation. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/the-worlds-most-impersonated-brand-in-phishing-attacks-is-and-its-not-microsoft

KnowBe4 - Over 700 Ransomware Victim Organizations are Named on Data Leak Sites in Q2

Image
This massive increase in the number of victim organizations being named demonstrates the harsh reality of how far ransomware threat actors will actually go if ransoms aren’t paid. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/over-700-ransomware-victim-organizations-are-named-on-data-leak-sites-in-q2

Krebs - The Life Cycle of a Breached Database

Image
Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Here’s a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database. Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another. One might even say passwords are the fossil fuels powering most IT modernization: They’re ubiquitous because they are cheap and easy to use, but that means they also come with significant trade-offs — such as polluting the Internet with weaponized data when they’re leaked or stolen en masse. When a website’s user database gets compromised, that information invariably turns up on hacker forums. There, denizens with computer rigs that a...

Threat Post - Israeli Government Agencies Visit NSO Group Offices

Authorities opened an investigation into the secretive Israeli security firm. from Threatpost https://threatpost.com/government-nso-offices/168241/

Threat Post - Six Malicious Linux Shell Scripts Used to Evade Defenses and How to Stop Them

Uptycs Threat Research outline how malicious Linux shell scripts are used to cloak attacks and how defenders can detect and mitigate against them. from Threatpost https://threatpost.com/six-malicious-linux-shell-scripts-how-to-stop-them/168127/

KnowBe4 - Image Inversion as a Phishing Technique

Image
Researchers at WMC Global have found that a phishing kit is using images with inverted colors to avoid detection. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/image-inversion-as-a-phishing-technique

Schneier - AirDropped Gun Photo Causes Terrorist Scare

A teenager on an airplane sent a photo of a replica gun via AirDrop to everyone who had their settings configured to receive unsolicited photos from strangers. This caused a three-hour delay as the plane — still at the gate — was evacuated and searched. The teen was not allowed to reboard. I can’t find any information about whether he was charged with any of those vague “terrorist threat” crimes. It’s been a long time since we’ve had one of these sorts of overreactions . from Schneier on Security https://www.schneier.com/blog/archives/2021/07/airdropped-gun-photo-causes-terrorist-scare.html

Rapid 7 - [Security Nation] Philipp Amann on No More Ransom

Image
In this episode of Security Nation, we're joined by Philipp Amann of Europol. Jen and Tod chat with Philipp about No More Ransom, a Europol-lead effort to combat ransomware by providing technical means to unlock encrypted drives, covering dozens of ransomware kits from Alpha to Ziggy, as well as working with a bunch of countries' national police forces around the world. Oh, and here's a spoiler: NMR estimates they're responsible for saving almost 1 billion dollars in ransom demands over its 5-years-and-counting run. Amazing! NMR also: Features 121 decryption tools addressing 151 ransomware families Has been downloaded approximately 6 million times Saved victim orgs approximately $900 million in unpaid ransoms Read more on NMR in Jen’s recent blog ! Tod and Jen then lament the COVID-19 situation in Las Vegas (stay safe and healthy out there, everyone!) and chat about the latest NTLM attack technique, dubbed PetitPotam. And new on the blog this week: show notes! J...

Black Hills InfoSec - Talkin’ About Infosec News – 7/28/2021

Originally Aired on July 26, 2021 Articles discussed in this episode: 00:00 – BHIS | Talkin’ Bout News 2021-07-26 03:54 – Story # 1: https://ift.tt/3ycXkE3 18:53 – Story # 2: https://ift.tt/3yctNdW 30:26 – Story # 3: https://ift.tt/3f2QA3Z 51:48 – Random Crap The post Talkin’ About Infosec News – 7/28/2021 appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/talkin-about-infosec-news-7-26-2021/

Dark Reading - 8 Security Tools to be Unveiled at Black Hat USA

Security researchers and practitioners share a host of new cyber tools for penetration testing, reverse engineering, malware defense, and more. from Dark Reading: https://www.darkreading.com/attacks-breaches/8-security-tools-to-be-unveiled-at-black-hat-usa/d/d-id/1341574?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Threat Post - BlackMatter & Haron: Evil Ransomware Newborns or Rebirths

They’re either new or old REvil & DarkSide wine in new bottles. Both have a taste for deep-pocketed targets and DarkSide-esque virtue-signaling. from Threatpost https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/

Threat Post - Reboot of PunkSpider Tool at DEF CON Stirs Debate

Researchers plan to introduce a revamp of PunkSpider, which helps identify flaws in websites so companies can make their back-end systems more secure, at DEF CON. from Threatpost https://threatpost.com/punkspider-def-con-debate/168223/

KnowBe4 - Cybercriminals Are Growing More Organized

Image
The cybercriminal underground is becoming increasingly organized, according to researchers at HP. The criminal underground functions like a regular economy, with people selling goods and services such as phishing kits, malware, and access to compromised networks. As a result, the bar of entry is lower since unskilled criminals can buy the things that previously prevented them from engaging in cybercrime. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cybercriminals-are-growing-more-organized

US-CERT - Top Routinely Exploited Vulnerabilities

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/07/28/top-routinely-exploited-vulnerabilities

US-CERT - Top Routinely Exploited Vulnerabilities

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/alerts/aa21-209a

Recorded Future - BlackMatter Ransomware Emerges As Successor to DarkSide, REvil

Image
BlackMatter is a new ransomware-as-service (RaaS) affiliate program that was founded in July 2021. According to BlackMatter, “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit”. According to their public blog, below, the threat actor group does not conduct attacks against organizations in several industries, including healthcare, critical infrastructure, oil and gas, defense, non-profit, and government. Figure 1: Public extortion blog (Source: BlackMatter Ransomware)   BlackMatter, a member of the top-tier forum Exploit and likely an operator of BlackMatter ransomware, is currently advertising the purchase of access to corporate networks in the US, Canada, Australia, and the UK. The threat actor is interested in all industries, except healthcare and governments, and has the following requirements for targets: Revenue of $100 million and more 500-15,000 hosts in the network   Figure 2: Public Advertisement (Source: Forum Expl...

Recorded Future - China’s Digital Colonialism: Espionage and Repression Along the Digital Silk Road

Image
Editor’s Note : The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF. This report profiles the growth of China’s global digital presence and influence through state-sponsored development of digital infrastructure in foreign countries, cyber espionage enablement, and the export of Chinese surveillance technology. This examination weighs the privacy and security risks associated with Beijing’s growing global influence through programs such as the Digital Silk Road Initiative. Data sources include the Recorded Future Platform, academic papers, government reports, and common open-source tools. The report will be of most interest to democratic governments, strategic decision-makers in developing regions such as Latin America, Africa, and South Asia, cyber defense groups, and corporations hosting data in developing regions. Analysis cut-off date: June 22, 2021. Executive Summary Through the Digital Silk Road Initiati...

Schneier - De-anonymization Story

This is important : Monsignor Jeffrey Burrill was general secretary of the US Conference of Catholic Bishops (USCCB), effectively the highest-ranking priest in the US who is not a bishop, before records of Grindr usage obtained from data brokers was correlated with his apartment, place of work, vacation home, family members’ addresses, and more. […] The data that resulted in Burrill’s ouster was reportedly obtained through legal means. Mobile carriers sold­ — and still sell — ­location data to brokers who aggregate it and sell it to a range of buyers, including advertisers, law enforcement , roadside services, and even bounty hunters . Carriers were caught in 2018 selling real-time location data to brokers , drawing the ire of Congress. But after carriers issued public mea culpas and promises to reform the practice, investigations have revealed that phone location data is still popping up in places it shouldn’t . This year, T-Mobile even broadened its offerings , selling customers...

Threat Post - Podcast: Why Securing Active Directory Is a Nightmare

Researchers preview work to be presented at Black Hat on how AD “misconfiguration debt” lays out a dizzying array of attack paths, such as in PetitPotam. from Threatpost https://threatpost.com/podcast-securing-active-directory-nightmare/168203/

Threat Post - No More Ransom Saves Victims Nearly €1 Over 5 Years

No More Ransom is collecting decryptors so ransomware victims don’t have to pay to get their data back and attackers don’t get rich. from Threatpost https://threatpost.com/no-more-ransom-saves-victims-e1-5-years/168192/

Threat Post - Zimbra Server Bugs Could Lead to Email Plundering

Two bugs, now patched except in older versions, could be chained to allow attackers to hijack Zimbra server by simply sending a malicious email. from Threatpost https://threatpost.com/zimbra-server-bugs-email-plundering/168188/

KnowBe4 - Warning: A New Ransomware Cartel Has Formed Sharing Techniques, Code, and Infrastructure

Image
In a new twist, security researchers at Analyst1 have identified four Russian ransomware gangs that actively work together to coordinate attacks, data leaks, and more. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/warning-a-new-ransomware-cartel-has-formed-sharing-techniques-code-and-infrastructure

KnowBe4 - U.K. Employees Pose a Major Cybersecurity Risk to Business as They Return to the Office

Image
After well over a year of getting used to working from home, as U.K. employees look to head back into the office, new data shows they don’t see themselves as a cyber risk (which makes them one!). from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/u.k.-employees-pose-a-major-cybersecurity-risk-to-business-as-they-return-to-the-office

KnowBe4 - 77% of Organizations Are Unable to Access Systems or Networks Post-Ransomware Attack

Image
The fallout after a ransomware attack is more devastating than previously thought. New data spells out what you should really expect after being hit with ransomware. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/77-of-organizations-are-unable-to-access-systems-or-networks-post-ransomware-attack

US-CERT - CISA Releases Security Advisory for Geutebruck Devices

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/cisa-releases-security-advisory-geutebruck-devices

Threat Post - Three Zero-Day Bugs Plague Kaseya Unitrends Backup Servers

The unpatched flaws include RCE and authenticated privilege escalation on the client-side: Just the latest woe for the ransomware-walloped MSP. from Threatpost https://threatpost.com/zero-days-kaseya-unitrends-backup-servers/168180/

Rapid 7 - Multiple Open Source Web App Vulnerabilities Fixed

Image
Today, Rapid7 is disclosing 9 vulnerabilities that affect 3 open-source projects: EspoCRM , Pimcore , and Akaunting . Right out of the gate, I'd like to give a special thanks to these 3 open-source project maintainers. While it's never great to learn of new vulnerabilities in your own product, all 3 project maintainers accepted, validated, and provided fixes for these vulnerabilities within one day , which is amazing when it comes to vulnerability disclosure. EspoCRM was notified on May 4, 2021 and patched source on May 5; Akaunting, on May 13 and turned it around on May 14; and Pimcore validated their vulnerabilities on April 29 after learning about them on April 28, 2021. Nice work, all around. Now, I'm not sure why open source is just so much faster than the typical proprietary software vuln-patching pipeline, at least for the disclosures I've been involved in. It might be because, in open source, you're almost guaranteed to have your first communication with a...