The Diana Initiative 2021

Outstanding talks by these amazing speakers

Spark a Journey! This is the week! Friday July 16 and Saturday July 17. This year’s event will be virtual again, building off success and lessons learned from last year.

As the website states, TDI is a diversity-driven conference committed to helping all underrepresented genders, sexualities, races and cultures in Information Security.

The theme for 2021 is “Spark A Journey” to celebrate that force, that spark within each of us that can lead to many ways we inspire and drive change. The beautiful stylized images of the paper cranes by the wonderful @1dark1 represent metamorphosis, a symbolic re-emergence after the many long months of pandemic confinement and isolation. It’s a hopeful, empowering message we all need just now.

This year’s event will have multiple speaker tracks, fully expanded villages and workshops and a women-led Capture the Flag event. Tickets are available and so affordable! Get yours here and come join us: https://hopin.com/events/2021-diana-initative

Exciting News! TDI at RSA 2021

I’m honoured to represent The Diana Initiative again this year at RSA! We’ll be hosting an interactive and engaging session on Career Paths as part of the “Birds of a Feather” series. What better way to give back and welcome in new talent and ideas! Our session will be on Wednesday May 19, starting at 10:05 PST / 1:05 EST just after the amazing opening talk by Caroline Wong. https://www.rsaconference.com/usa 

4/16/2021

You made it!

Geopolitics: Yesterday the US hit back hard at Russian cyberattacks and meddling. An exec order from the Oval Office delivers wide-ranging economic sanctions that hit right where it hurts, so that Russia won’t be able to raise the funds it needs the way it has been, plus adds in some diplomatic expulsions. And it prohibits US banks from buying ruble bonds. The EO impacts several tech firms including Positive Technologies. You can read the details here. Be prepared for fallout.

Severe bug warning for OT in EtherNet/IP Stack per The Hacker News

CISA issued this advisory on Thursday for a number of severe vulnerabilities in OpENer EhterNet/IP stack that could put industrial systems at risk of RCE, DoS and data leaks. The warning extends to all OpENer commits and versions before February 10 2021. To exploit, an attacker need only send crafted ENIP or CIP packets to a device. As we now know (because I keep telling you 😊) OT and industrial systems are different and need our attention.

Codecov Possible Supply Chain compromise 😱 per Bleeping Computer

In a year of supply chain compromise, here’s another. Codecov is an online platform used by over 29,000 enterprise organizations like Atlassian, GoDaddy, proctor &Gamble. Yeah. It helps measure source code execution during testing, because stats matter.

Looks like a threat actor may have found their way into the system back in January, and tampered with the Bash Uploader script, the tool clients use to upload their code reports. The tainted version – omg does this feel like SolarWinds?!- could allow access and export of sensitive client info including credentials, tokens, keys plus services, app codes etc. If you are using this service you need to get on this asap.

Daily Perk 4/14/2021

Almost done …

Patch it NOW: Patch Tuesday walloped us with four exciting new RCE vulnerabilities for on-prem Exchange servers. Thankfully no known exploits and Cloud servers are safe. But if you have on-premise Exchange, stop reading and get patching. Please

Patch it Now: per Malwarebytes Lab, There are active exploits 2 vulnerabilities, CVE-2021-21206 and 21220, affecting the Chrome browser but also Edge, Brave and Vivaldi. You can let Google update Chrome automagically but better to make sure it does. Based on current malware trends, there are a hella lot more browser exploits happening.

Buyer Be Wary: per Threatpost. We know a lot of nasty stuff finds its way into GooglePlay store and Google sites. ESentire wrote a report detailing a hundred thousand malicious web pages loaded with malware, awaiting victims sent there via SEO tactics, all for the sake of an invoice template.

This drive-by-download compromise is increasing, bacause it works. And given the new way or working remote, the potential for individual compromise to become corporate is definitely a concern. Case in point: a victim in FI who sought a free version of a document and trusted their search results via Google to a Google site page where threat actors took over. Given these are cybercriminals at work, their dirt RATs are all about “show me the money”.

Daily Perk 4/13/2021

One down, one to go

Happy Patch Tuesday!

Chrome 0day exploit shared on Twitter per Threatpost

A security researcher perhaps a little too eagerly shared their Pwn2Own discovery by tweeting a link to the exploit code yesterday. The code is for a remote code execution vulnerability that affects current versions of browsers using Chromium, like Google Chrome but also Mucrosoft Edge and others. Potentially all kinds of bad.

Now, Pwn2Own rules are that companies get notified before the bug gets dropped, so they can make and issue patches. That was the intention but the patch had not yet been deployed into official releases of the browsers. Oops 😬 Google will be releasing a new version of Chrome today which may or may not fix it. The upside fwiw is that the code shared is not “fully weaponized” ie it is not a full exploit chain capable of escaping the sandbox.

NAME:WRECK vulnerabilities impact IoT/OT per ZDNet

From the things that brought you Urgent/11 and Ripple20, now there’s NAME:WRECK. Vulnerabilities in millions of IoT devices that could let attackers disable them or control them remotely, ultimately gaining more network access. Nine vulnerabilities, four TCP/IP stacks, and potentially 100 million devices used by consumers, industry and enterprise.

Security patches are available but unlike with IT, it’s not a simple process for IoT or OT. Chances are that many will remain unpatched rather than risk breaking software, configurations and older equipment that has been painstakingly put in place. At high risk will be healthcare, already hard hit by ransomware attacks. Network segmentation and monitoring network traffic will provide mitigation when patching can’t be done.

Watch for the QBot / IcedID rotation per Bleeping Computer

Just to mix it up, malware operators are shuffling between IcedID (kinda the new Emotet) and QBot banking trojans. Both are nasty, multi-stage attack functional and will deliver a ransomware payload. and both are using Ettersilent, an increasingly popular service to build malicious documents.

Daily Perk 4/9/2021

Happy Weekend to All

IcedID – The new Emotet? per Threatpost

Don’t worry – Emotet isn’t really gone. It just stepped back a bit, and as we’ve seen happen, a new contender has stepped up. In this case, modular malware banking trojan IcedID aka BokBot has made its presence known in 2021, serving as a dropper for other malware via Email campaigns using MS Excel attachments. Sounds familiar right? Evasion techniques include:

Hiding macro formulas in three different sheets; masking the macro formula using a white font on white background; and shrinking the cell contents and making the original content invisible

Microsoft’s blog today delved further into a “unique form of email delivery for IcedID malware, looking at the abuse of website contact forms and emails with malicious links sent to enterprises. Contents download – you guessed it – IcedID. This is a good heads up for organizations because the abuse of website contact forms can bypass protections by piggybacking on legitimate infrastructure.

Pwn2Own finds critical Zoom vulnerability for RCE per ZDNet

Zoom really stepped up efforts last year to secure a platform that was never intended for the volume of use it received during the pandemic. It’s become a mainstay for personal and business purposes. With so many users, that’s a big target. The annual Pwn2Own hacking competition is a great way to test what we think is secure and patch potential holes, or open our minds to all kinds of attacker thinking. This year, researchers from Computest showed a how a chain built from three vulnerabilities could lead to RCE on a target device with NO user interaction required, as per the animated attack here. Currently, the attack has been shown to work against Zoom on Windows and Mac. It’s not tested yet on iOS or Android. The browser version is SAFE. Zoom has been notified and has 90 days to develop a security solution for something nobody was looking for – except an attack. This is effective collaboration!