Come be part of this welcoming event that works to unite women through learning and collaboration in a global CTF. You can sign up to register here

Ransomware Attacks Aim Higher at SaaS and Cloud per Dark Reading

Ransomware operators are following that mass migration to the Cloud. Researchers at RiskSense released a report showing a shift in targets to move up the stack, tracking data-dense applications and software as a service, web frameworks and open source tools.

Ransomware attacks are also affecting perimeter technologies, which include VPNs, remote access services and zero trust. And for that initial access, a reported 125 active Ransomware groups are leveraging some critical vulnerabilities, 124 CVEs with active exploits, to gain RCE and privilege escalation. These tactics bypass the need to engage a user. Read the RiskSense report for more details.

Cloud-Native Apps and Supply Chain Security per Dark Reading

Which segues to this topic. The modern programming languages we use are modular, with interchangeable blocks or plugins to provide key functions for text, networking or doing math. The code is shared and available through open source repositories and platforms like GitHub. Per the article, 99% of codebases have components from open source and as much as 70% of code used by enterprises comes from open source.

Welcome to the realities of Third party code, and security issues have become headlines. It’s compromised in Magecart attacks. It’s a conduit for attackers to poison and distribute their malware downstream. Fact is, the flaws and vulnerabilities in that code are now in the attackers’ sights. “The inventory, version and configuration of services in a cloud environment should be looked at as part of the supply chain, including the scripts used by DevOps to provision them”.

TrickBot Update: per Bleeping Computer.

TrickBot has levelled up again, this time making its well-equipped BazarBackdoor malware even more evasive but writing it in the Nim programming language, specifically the backdoor component. As conventional AV won’t be looking for this more obscure language just yet, don’t let it slip on in.

Military, Nuclear Entities Under Target by Novel Android Malware per Threatpost

More surveillance malware targeting Android users, the vast majority of mobile users. This malware can severely compromise a user’s safety by accessing SMS messages and encrypted messages from WhatsApp (widely used) as well as geolocation. People everywhere rely on encrypted messaging services and the ability to shield their location for personal protection. Attackers learn from each other and copy what works. Lessons in here to extrapolate and apply more broadly.

Impressive work by Lookout security researchers linking the surveillanceware to APT group Confucius in their latest report.

Patch Tuesday Quick Hits: 56 just from Microsoft. 3 critical and high severity TCP/IP bugs that are magnets for exploit. Two for .NET framework which are manual patches. And the critical one for WindowsDNS server. May the patching gods smile upon you

Dependency Confusion: How I Hacked into Apple, Microsoft and Dozens of Other Companies by Alex Birsan on Medium

We live in an increasingly interconnected digital world, where relationships and connections need to be understood and monitored at the system level, up through business and personal levels. Trust but verify. Attackers will be actively seeking out dependency vulnerabilities, leverage automated downloads and target open source repositories.

With automation, trust and expectation are bigger factors than we realize. Security researchers Alex Birsan and Justin Gardner highlight “Dependency Confusion” and how this can become something we missed.

WordPress Advisory: Critical vulnerability found in NextGen Gallery plugin. Cross-site request forgery and potential remote code execution will lead to more than tears. Over 800k installs out there and 530k still need to patch.

Security Gaps in OT Exposed With Hacker Attempt to Poison Florida City Water per SC Media

Let this serve as more than just a cautionary tale because next time the consequences could be deadly. An unknown attacker gained remote access and tried to increase the quantity of sodium hydroxide, or lye, in the water treatment plant. Apparently the specialized ICS and SCADA systems running the plant were “outdated, unpatched and available for review on the internet, leaving them incredibly vulnerable to compromise.”

ICS and SCADA were not designed to be internet-facing, so that when facilities using them get set up online, the necessary security, monitoring and controls are not in place. It’s easy for attackers to scan for and find exposed instances, increased by the need for remote work.

Attacks on critical infrastructure have increased over the past year, either as a crime of opportunity by low-level attackers or by highly targeted attacks by nation states, such as Iran’s attack on Israeli water systems in 2020.

Safety Issue: iPhone 12 magnet array can disrupt implantable medical devices per ZDNet today. You or someone you care about don’t want to be carrying the latest iPhone in your shirt or upper suit jacket pocket if you have a pacemaker or other sensitive medical implants.

There has been important work done by security researchers, like Dr. Marie Moe, on how medical devices can be compromised. This may be another avenue to investigate.

Here’s How Iran Spies on Dissidents with the Help of Hackers per The Hacker News

Domestic surveillance is an ugly and brutal practice, used by repressive regimes against their citizens, to deny freedom. It’s important for us to learn what tactics are used, what devices and services abused because what works gets copied and carried over elsewhere. Iran has cultivated a highly skilled force in cyber espionage, which gathers valuable intel needed for initial access and highly targeted spear phishing attacks on external adversaries. What works domestically could be modified and applied elsewhere …

0-Day exploit alert: Google has a patch out for a Chrome browser heap buffer overflow flaw under active exploit. CVE-2021-21148. More here from Malware Bytes

Cisco warns of critical remote execution flaws in small business VPN routers from ZDNet

This poses some big risks for small businesses using a number of routers, especially since some are considered end-of-life for support and won’t get patches. Flaws are in the web management interface. Cisco released 3 security advisories yesterday. Over the past couple years, nation state adversaries have been hunting unpatched routers and using them in weaponized botnets. So check yours and patch 😇

Darkside Ransomware hits Electric Utility in Brazil, uses CyberArk from Bleeping Computer

I am seeing more utilities and major manufacturing as targets in the big game hunting of extortionist ransomware attacks. Two Brazilian state-owned electric companies just got hit. One of those, Copel, was hit by Darkside ransomware operators who stole 1000 GB of data, with critical and private info on networks, backups etc.

Of note is they got in by accessing Copel’s CyberArk privileged access management solution where they – sit down – “exfiltrated plaintext passwords across Copel’s local and internet infrastructure.” Wait, there’s more. Darkside says they exfiltrated AD data too. So much could go wrong 😱

Security firm Stormshield discloses data breach, theft of source code from ZDNet

Per the article, Stormshield is a major provider of network security products, some of which are used on sensitive projects, for the French government. Apparently, somebody got in through its customer support portal and stole data on clients. 😦They also took source code, for the very secure firewall. 😬 C. I. A triad. Confidentially got dinged. Integrity – if they took the source code I would be concerned because modifications can happen. Availability- well, things appear to be up and running but we don’t know what the endgame is.

Raise your hand if your business uses or has customer support portals – and every hand is up. Something else to consider as we still process the SolarWinds supply chain attack and where adversaries will seek out the weakest link for access.

Beware: New Matryosh DDoS botnet targeting Android-based Devices from The Hacker News

I’ve done some talks about weaponizing botnets, fun times with Mirai source code, and how Android’s debugging bridge feature, ADB, has been targeted. As reported by Qihoo 360 Netlab, this latest botnet reuses the Mirai botnet framework, propagates it via exposed instances of the ADB to infect a bunch of Android devices and -Voilà – botnet! Matryosh cleverly uses TOR for C2 communications to hide its activities, and nests commands in proxied layers.

ADB is a concern because while it should be off by default sometimes it gets left on for convenience. What could go wrong, right? Well, this allows for an unwanted, uninvited and unauthenticated user to remotely connect via the 5555 TCP port and exploits can happen. Do you know how many Android devices are in use right now? 🤭

Well now. A mini meteor storm of SolarWinds updates happened. If you run it, you want to check out a couple good articles just out on three other flaws they’re patching. SolarWinds Orion Bug Allows Easy Remote Code Execution and Takeover from Threatpost and 3 New Severe Security Vulnerabilities Found in SolarWinds Software from The HackerNews. Trustwave is holding off on releasing its PoC til patches can be applied.

Wind River security incident affects SSNs, passport numbers by Threatpost

A few things that worry me. Like embedded systems and inherent security issues. Wind River makes the software for these highly specialized systems used in aerospace and defence, as well as industry and the automotive sector. This is not your regular IT, so the usual approach to securing it won’t always work. And given where it’s being used – high value targets, critical assets.

And the attack was last September. That’s a lot of months gone by. The people affected were notified, it’s under investigation. But given SolarWinds and a few other sophisticated supply chain attacks in the past year, we need to be a bit more paranoid. Once attackers are in your networks and can steal data, especially sensitive stuff that lets them move laterally to get more data and access, go worst case.

Finally, in 2015 their VxWorks product was vulnerable to a TCP flaw that could allow for spoofing or disruption. Then in 2019 it was part of a large group of devices vulnerable to the Urgent11 bug collection. Given all the above, there’s potential here for certain nation state attackers to dig in, help themselves and leave themselves a few backdoors back in. 🤔

Per the Wall Street Journal on Feb 3 2021, attackers were in SolarWinds’ Office 365 email system from at least December 2019, using one account to compromise others, and leapfrogging on. That’s a lot of time to ingest a lot of details from those emails.

Per Reuters on Feb 2 2021, Chinese hackers used SolarWinds to spy on US payroll. Thus is a different software issue than the Russians are believed to have used. They were – wait for it – in there at the same time.

We know how damn good China is at cyber espionage – think of many major US breaches they have been behind. This impacts the National Finance Center NFC, responsible for handling the payroll of the FBI, DHS, State Dep’t, for a total of 160 agencies and 600k federal employees. I think that was the sound of the other shoe dropping.