Daily Perk 3/5/2021

Happy Weekend All!

UPDATE: MS Exchange server patches and UAC issues per Bleeping Computer

A heads up for those installing the Exchange server patches to check if IAC or User Account Control is enabled. The patch may look like it installed but doesn’t actually fix the problem. Security expert Kevin Beaumont advised to validate build numbers. The issue has to do with certain Exchange-related services not being stopped by the security update. For manual patch applications Microsoft recommends installing as Admin from the command line. Wishing you all success!

UPDATE: Three new SolarWinds Malware strains found per The Hacker News

We knew there’d be more, lots more. On March 4 FireEye and Microsoft announced their finding of three more malware types in the massive supply chain attack: Goldmax or SUNSHUTTLE, GoldFinder (I am singing Goldfinger in my head with you now) and Sibot. Goldmax appears to be another sophisticated second stage backdoor to allow the attackers, now dubbed “Nobelium” by Microsoft, to cloak malicious traffic using regular network traffic while downloading more malware and uploading stolen goodies.

The sophistication and crafting of the malware speaks to the resources and focus of this attacker. State-sponsored adversaries ate determined and equipped to bypass defenses and detections in place. What we have to work with is our awareness that these attacks happen, and that constant vigilance and monitoring are key components of ensuring we do defense in depth.

Closing note: Robocalls are more than a nuisance- they are a threat. Per ZDNet, the FTC and 38 states took down a massive operation that defrauded victims of $110 million. If you’d like to learn more, I talk about the exponential increases in size and abuse of trust, as well as how to deal with them on CSuite with Claudette McGowan

Daily Perk 3/4/2021

Hang in there. It’s Friday Jr!

Uh oh 😟 Working PoC exploit for SIGRed DNS server RCE vuln per Bleeping Computer

We pay attention to vulnerabilities that allow for RCE or remote code execution because it will end in tears and bad things. Last summer Microsoft reported on a doozy of a flaw, rated 10 out if 10 for severity because wormable 😬 living 17 years in its code and impacting all Windows Server versions from 2003 to 2019. This is the first published working exploit since Microsoft addressed SIGRed with patches and a registry workaround in July 2020. Are you patched?

Updates for MS Exchange Patch it! Patch it Now!” per ZDNet

CISA issued Emergency Directive 21-02 on Wednesday March 3, mandating that agencies do a thorough search for infiltration or compromise, patch immediately and disconnect from the network if they find anything. Exchange is embedded in IT infrastructure and essential to how work gets done in most enterprise, corporate and government workspaces. Security firm Eset is now saying several cyber espionage groups are exploiting CVE-2021-26855. Targets are not just in the US.

Es tu Qualys? More fallout from the Accellion breach to add Qualys per ZDNet

The Accellion secure file transfer app gets used in a LOT of places apparently. There have been well over 100 victims to date as Clop ransomware continues to post them on its name and shame site. Qualys is a trusted firm used for cloud security and compliance and now is the latest victim. 2021 has been a casebook study on third party risk and exposure with ongoing supply chain attacks and big names impacted. Time to move on from “trust but verify” to more actively “Verify then trust” with existing and new external relationships.

Daily Perk 3/2/2021


Microsoft just issued 4 patches for security issues (see alert here) being actively exploited by a Chinese APT group, Hafnium. Exchange versions 2013-2019 are affected. The vulnerabilities are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. The description per Microsoft is:

These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.

Hafnium’s targets are US based, in various sectors which include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. They exploit vulnerabilities found in internet-facing servers and exfiltrate data to file sharing sites. They are stealthy and operate from virtual private servers leased in the US.

Hide in plain sight: Updated ObliqueRAT hides in images per ZDNet

ObliqueRAT has evolved from basic functionality to multiple infection vectors and capabilities. The new campaign targets victims in South Asia with tainted sites rather than sending emails which get nabbed. The attacks use steganography to hide malicious payload files within image files on the site. ObliqueRAT is linked to the Transparent Tribe APT and distributions of CrimsonRAT.

RATs are powerful, multi-function tools heavily used by attackers. It’s important to keep in mind that malware operators are constantly enhancing their tools, so what we have defences for won’t cover everything. Kinda like vaccines and variants. You can read the report by Cisco Talos here.

Breach Alert: Oxfam Australia is reporting information about supporters on one of its databases was “unlawfully accessed by an external party” in January 2021. The data of 1.8 million accounts was being sold on an underground site. Partial financial details were also exposed. Per Have I Been Pwned

Updates to Jailbreak tool “Unc0ver” for iPhones v 11 – 14.3 per The Hacker News

With the latest release of “unc0ver” 6.0, almost any iPhone can be unlocked and uses one of those 0days from January that was being exploited, CVE-2021-1782, a privilege escalation vulnerability.

Attackers are quick to act on vulnerabilities especially when they mean access into walled-gardens or secure enclaves like Apple’s operating system. While we know about the use of this vulnerability here, we don’t know the full extent of exploits or attackers as Apple has not shared that. Things that will go bump in the night …

Daily Perk 3/1/2021

Spring is coming.

Insider Threat: Chinese businessman steals transistor secrets from GE with insider help per The Register

A Chinese businessman based in Hong Kong was charged with conspiring to steal very valuable and sensitive information on transistor technology from GE to help set up a competing firm based in China. He had a little help from his friend or friends on the inside. Nothing confirmed as yet but potential investors were told that tech was worth $100 million. As we get better at securing endpoints and access points, expect adversaries to seek other ways in. Insider risk will always be a risk.

China is highly competitive and driven by their strategic “Made in China 2025” plan. As that deadline approaches expect to see a corresponding escalation in cyber espionage and recruitment of insiders to gain the advantage over Western rivals.

Gootloader malware: Abusing SEO and hacking CMS per Bleeping Computer

Gootloader malware has evolved do more than deliver the Gootkit information stealer and REvil ransomware. It has created a considerable network of poisoned sites and is abusing SEO in Google to show fake forums targeted to specific geographic regions only with malicious links. The operators behind Gootloader have as many as 400 active servers running legit but hacked websites. Researchers describe a convoluted infection chain which takes time to unravel and works in the attackers’ advantage to deliver a range of malware. Sophos has a technical analysis of Gootloader here.

When bad things happen to good people: ICS & security concerns

PLCs with hard-coded key vulnerabilities is a 10 out of 10 severity per Ars Technica

PLCs are programmable logic controllers used in within industrial control system or ICS: manufacturing, industrial plants, power plants. Be concerned. Be very concerned. While they look like the desktops and keyboards we used to use at the office, this is specialized equipment that helps run our daily lives, keeps our lights on, keeps us safe. Referred to as Critical Infrastructure, it’s the ideal target for nation-state attacks where revenge and control collide.

When malware and tactics are weaponized for destruction, bad things happen like:

  • power plant sabotage by Black Energy malware in the Ukraine
  • cyber attacks water treatment plants by Iran in Israel
  • industrial safety system malfunctioning by Triton malware
  • centrifuges spin out of control in a nuclear facility with Stuxnet.

On Feb 26, US CISA issued a warning here for CVE-2021-22681, involving the extraction of a secret encryption key hard-coded in Logix brand PLCs from Rockwell Automation. Key point here (sorry had to) is don’t hardcode or embed passwords and security keys as a fundamental good security practice. This makes the PLCs vulnerable to attack by someone remote and with low skill levels, who could then alter their configuration or their application coding. Do you want bad things? Because this is how you get bad things. How bad?

“Any affected Rockwell Logix controller that is exposed on the Internet is potentially vulnerable and exploitable”

Sharon Brizinov, principal vulnerability researcher at Claroty

Which brings me to my second “key” point: don’t expose sh@t you value online. Because people know how to go hunting with Shodan, and omg they things they find!

search result found shared on Twitter from 2018

There’s another thing that troubles me. Maybe I’m being petty but apparently Claroty told Rockwell “Hi! You may have a security problem” back in 2019. I know we lost a whole year with 2020 but still, it took til last Thursday for anything to be said.

Pretty much any Rockwell Logix PLC is at risk. It’s a long list. How about a patch for that? Well, not just yet. But there is an advisory now available from Rockwell with mitigations and instructions. You can read the write up by Claroty here and you probably should.

Want to know more? In addition to this excellent article by Dan Goodin forArs Technica, I can recommend reading “Sandworm” by Andy Greenberg and “Countdown to Zero Day“ by Kim Zetter. Here is where I get to cheer on the work being done by the team of dedicated security researchers who specialize in the field of ICS and SCADA at Dragos Inc., Bryson Bort and the awareness he’s bringing, and my friend Chris Sistrunk at Mandiant who helps keep the power grid safe and our lights on among many other things.

Daily Perk 2/26/2021

It’s DNS. It’s always DNS

2000% Increase in New Malware Written in Go per ZDNet

Noting a trend where malware writers have shifted away from using C and C++. Cybercriminals and APTs both find it easy to work with and it’s good for evasion because it’s hard to detect. Moreover, with the massive migration to all things cloud, many cloud-native applications are written in Go. This is the way.

Malicious Firefox Extensions Used to Hijack Gmail Accounts per Bleeping Computer

Chinese-based APT group TA413 targeted Tibetan organizations in a cyber espionage campaign that hijacked Gmail accounts to infect them with Scanbox malware to harvest data and log keystrokes. TA413 used phishing emails to redirect victims to a malicious Adobe Flash Player update site (wait isn’t that always a bad thing?) and victims would get tricked into loading the FriarFox browser extension to let attackers gain control.

Malicious browser extensions are more prevalent than we realize, and are being leveraged by state-sponsored attackers to gain control over dissidents. Think beyond that to how it can be leveraged against us. Good report by Proofpoint here.

Daily Perk 2/25/2021

Missed y’all yesterday

Patch It Now! Vulnerable VmWare Vcenter servers are being hunted online and exploited per ZDNet. Over 6700 are exposed online and vulnerable to attacks that can take over entire company networks. A Chinese researcher published their PoC for CVE-2021-21972 here.

Got Cisco? Get Patching! Per Threatpost Cisco has fixed a critical flaw that could allow a remote attacker to bypass authentication. This affects Cisco’s ACI Multi-site orchestrator used as business management software. But wait, there’s more! A critical flaw in their application services engine could allow unauthenticated remote attackers gain privileged access to host-level operations. And they have patched another critical flaw in their Nexus series 3000 and 9000 switches, NX-OS, which could grant root-level privilege. I worry about these things …

The Data Behemoth: Concerns over Amazon and security lapses per Politico

After years of massive breaches – governments, Equifax, Yahoo and so many more – our data is out there, including usernames and passwords, social insurance numbers, payment data. Unfortunately, the ocean of data keeps rising, cloud is where everything is moving to, and security misconfigurations have been keeping pace, with data spillage in the millions of records.

The pandemic has been a boom for online ordering, which means payment card data is more at risk than ever. The article raises concerns about Amazon’s history of somewhat lax security practices, but anyone handling our data merits our concern – Amazon just has a lot more data to worry about. The onus rests with us to be vigilant and monitor where our data is because if we have to trust someone else with it, we need to verify what happened to it.

Daily Perk 2/23/2021

New Advances in Payment Card Skimmers per Krebs on Security

Security researcher Brian Krebs has become an expert on card skimming devices and methods. It’s enough to make you seriously question ever swiping your card again. His column today presents how retail self-checkout point of sales (POS) machines can be equipped with a “flexible, paper-thin device that fits inside the terminal’s chip reader slot”. Unless you knew to look, and what to check for, you’d have no idea. Ironically, these risky readers draw power from the chip on the secure chip and pin cards we use, and can operate indefinitely. But good news – his next post is about detecting these skimmers.

Phishing Alert: per Threatpost . Be war, wary careful of emails being sent supposedly from FedEx and DHL couriers, among others. The targets have been over 10,000 Microsoft email users.

Shadow Attacks Can Compromise Integrity of Digitally-signed PDFs per The Hacker News

Whoa! We know attackers have been steadily abusing trust via digital certificates but this is a disturbing new wrinkle. Security researchers from Ruhr-University Bochum demonstrated their new attack, “Hiding and Replacing Content in Signed PDFs”, which abuses the “enormous flexibility provided by the PDF specification so that shadow documents remain standard compliant.” Consider how much we rely on PDFs because they can’t be changed the way other documents can, supporting the security principle of Integrity. Of note: These researchers have previously shown how to extract the contents of password-protected PDF files.

Daily Perk 2/22/2021

It’s still Monday. I checked.

Equation Group Tool Cloned by Chinese Hackers per ZDNet

Remember that treasure trove of NSA cyber exploit goodies made public by the Shadow Brokers in 2017? The home of Eternal Blue and friends? Like Pandora’s box, once the lid lifted everything escaped. These were exploits for 0days, many Windows, acquired and not made known for patching to build a cyber weapons arsenal. It’s what all the cool nation states do.

Turns out that credit for the hacking tool “Jian”, an exploit for privilege escalation and full system compromise on Windows systems from XP to 8, does not go to APT31 aka Zirconium but to … a clone of Equation Group’s EpMe. This was one of four privilege escalation exploits that are part of a module. Note: APT3 were another Chinese group who availed themselves of NSA tools, before they got loose. Good time to revisit that “Lost in Translation” leak by the Shadow Brokers.

Update: Possible Ties to FIN11, Clop Ransomware in the Accellion File Transfer Attack Per Threatpost

This was a major security issue for organizations that rely on secure file transfer: think legal, financial, government. At least 100 entities are victims, of which 25 have suffered “significant data theft”. Extortionist ransomware, name & shame sites.

Researchers have identified threat actors UNC2546 and UNC2582, connected to established cybercrime group FIN11 who work with the Clop ransomware operation. We’re seeing the waters get muddier and murkier when it comes to attribution, as cybercriminals work with state-backed adversaries, and offshoots develop to act one-step removed.

Diana Initiative CFP Now Open! It’s YOUR year!

Bring it! Show us what you’ve learned, what you’re made of, what you think. Last year’s virtual event was outstanding, and opened the doors for so many more attendees to submit. The Diana Initiative features a diverse speaker line-up covering a wide range of topics – why not yours! There will be multiple speaking tracks. Speakers have a choice of a 20 minute slot or a 50 minute slot. Please review the details and process below and submit your talk! For any CFP questions, email [cfp@dianainitiative.org]

Important Dates

  • Feb 15th, 2021: Call For Papers Opens
  • March 21st, 2021: First Round closes
  • April 7th, 2021: First Round notifications sent
  • May 7th, 2021: Second Round closes
  • May 22nd, 2021: Second Round notifications sent

Submission Guidelines: Papers that don’t meet these may be rejected

  1. Submission Title
  2. Speaker Name(s)
  3. Speaker Email (this is how we will contact you) Hidden from reviewers
  4. Speaker biography (150 words or less per speaker) Hidden from reviewers
  5. Abstract for your talk (200 words or less) Please refrain from including identifying information
  6. Detailed talk outline Please refrain from including identifying information
    Break your talk idea down into subheading with bullet points to provide detail on what it is, why it matters, what attendees will take away as learning or something they can apply. Show approximate speaking times for each section. Less is not more when it comes to the outline and selling your concept.
  7. Whether this would be your first speaking engagement at a conference
  8. Whether this talk has been previously given at another conference