Daily Perk 4/1/2021

Happy Zero-trust Day!

North Korea sets up fake security firm lure per The Hacker News

Remember the reports back in January about North Korean attackers trying to lure security researchers with malware to investigate? They really went all out. There is a fake security firm, “SecuriElite” and social media accounts, like TrendMacro, with links back to the poisoned site. Attackers are getting better at dissolving and reappearing elsewhere, in a game of adversary “whak-a-mole”. Our job is to consider how else, where else, they can play this strategy.

Update: Ubiquiti – it just gets worse per Bleeping Computer

We knew this was coming, right? Ubiquiti now says there was an extortion attempt back in January when that breach happened – but not to worry, no indication that source code or client data was taken. Hmm 🤨 After this past year of extortion ransomware, and the massive pwnage of the Accellion breach, I am sceptical. Especially since there wasn’t really any logging system in place to verify what the attacker got into. There are big lessons in here for all of us.

Don’t neglect your firmware per ZDNet

“Out of sight, out of mind” is not a cyber security best practice. Unfortunately, that sums up how most of us handle firmware updates and awareness. Yet, it’s where we keep credentials and encryption keys. Per the Microsoft Security Signals report for March, 80% of enterprises have had a security incident involving firmware but less than 1/3 of security budgets are invested in protecting it.

Firmware attacks are specialized, and may target UEFI or hardware drivers. Visibility is a problem, because firmware is that layer below what AV and detection services are made to monitor. It’s the purview of advanced persistent adversaries with resources. Think stealth, dwell time and painful compromise – what you can’t see will hurt you.

Daily Perk 3/31/2021

In this together

Patch it Now: per ZDNet, 2 critical vulnerabilities found in VMWare vRealize. These could result in admin credential theft in the AI-based platform that offers “self-driving IT operations management for private, hybrid and multi-cloud environments”. As we continue the mass migration to all things cloud, this opens up a whole new world of vulnerability and exploit possibilities through the universe of third party products and services.

WordPress Warning: per Bleeping Computer there are counterfeit versions of the jQuery Migrate plugin being injected. This plugin is used on over 7.2 million websites so early warning and watch your site

Campaign targets Japan’s industrial sector with fileless malware & backdoors per Securelist

This is an interesting one to be aware of because it involves several strains of fileless malware not seen before in a sophisticated campaign that has been targeting the industrial sector in Japan. Most notable is “Ecipekac”, a “very sophisticated multi-layer malware” with fileless malware payloads P8RAT and SodaMaster.

Kaspersky has been tracking the activity since 2019, and believes it is part of China’s well-established APT10. Fileless malware is hard to detect and doesn’t leave traces behind for forensics and learning afterwards – it’s something associated with an advanced/resourced/ determined threat actor.

Daily Perk 3/30/2021 Updated

Got you a refill!

Ubiquiti Networks Breach: A “Catastrophic” cover up? Per Krebs on Security

This looks really bad. Ubiquiti Networks reported a data breach back in December into January. Apparently, per an insider at Ubiquiti

“it was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk”.

Access to Ubiquiti was gained via a third party, AWS. The attackers had admin access to Ubiquiti servers via the Amazon cloud service. Let’s just pause and reflect there. And think about the third party cloud service relationships we all have in play. You can read Krebs’ post for a more detailed account of what ensued. And if you use Ubiquiti, be very suspect. As with what happened to those Exchange servers, once pwned, twice burned. You need to sanitize what may be hiding in there.

Indian’s Fintech platform MobiKwik data breach per The Hacker News up

Thanks to a global pandemic, online payments went from nice to necessity. That’s a lot of sensitive data – payment data. Now, 8 TB of it has been found for sale, believed to be stolen from India’s MobiKwik. They provide a payment gateway and financial services to over 120 million users, including 3 million retailers. The data was being offered for 1.5 bitcoin. There has been a lot of drama with this. As a month ago it first came to light and MobiKwik vehemently denied it. Servers were secured, the data tap shut off briefly. But then the attacker came back, claiming to have all that data. Whatever is going on, this involves is a tremendous amount of sensitive data that impacts people’s lives and livelihood once out there, and it can’t be taken back. We’ve seen the impact of mass data breaches fuelling cybercrime and the dark industry of synthetic identities. As individuals more is expected of us to keep watch over our online presence. This extends in terms of data stewardship and responsible disclosure to those we trust and entrust with out data.

Privacy Cringe 😬: per Threatpost, Intel has been served up a lawsuit for breaking Florida’s wiretapping law. Because – don’t be surprised- they had software on their website to capture the keystrokes and movements of site visitors. Yes, folks like you and I. Yes, that would be the Intel in our computer chips. This was for user analytics on their site. I am sure visitors do not recall giving consent or even being asked. We are going to be confronting an increasing number of ethics and privacy concerns as AI, machine learning and data analytics converge. Be aware.

Good news maybe: for those concerned about SMS hijacks and SIM swap, an update in today’s CyberWire shows major US carriers have addressed the security loophole attacks were leveraging. You can read the article here.

“Broken Trust”: The New Report from the Atlantic Council chronicles supply chain attacks

Atlantic Council Report

This is a link to the PDF report, “Broken Trust: Lesson from Sunburst”, recently released by the Atlantic Council, which looks at seven supply chain attacks to illustrate failures by private sector and governments to identify SolarWinds. The report states the need by federal government to identify “software with the largest potential blast radius” as a preventative measure against more major “sky is falling” cyberattacks like SolarWinds. And where to focus? Per the report “low-profile software used in critical parts of a network or given high-level permission that present valuable targets”.

Thanks to Politico’s weekly cybersecurity email for their insights and making the link available.

Daily Perk 3/29/2021

PHP Git Repository hacked with backdoors per Bleeping Computer

2021 is the year of software supply chain attacks. The latest involves code tampering in the official PHP Git repository. This is alarming because 79% of websites online use PHP as their server-side programming language. Two malicious changes upstream were pushed as “commits” by known PHP developers and maintainers, and made in the name of PHP’s creator.

As supply chain attacks seek to do, this abuses trust, which appears inherent in the commit process that allows for forged sign-offs to come from anyone else locally. To ensure better security going forward, PHP changes will now go through GitHub and not the PHP git server and contributors will need to be added to an authorized group. Sounds good 👍

Critical Netmask bug impacts hundreds if thousands of applications per Bleeping Computer

Netmask is the npm library used worldwide by hundreds of thousands of applications to parse or compare IPv4 addresses and CIDR blocks. It gets 3 million weekly downloads, and 278,000 GitHub repos depend on it.

A critical networking bug was identified, CVE-2021-28918, affecting how netmask handles when IPv4 decimal addresses have a leading zero. It could lead to server-side request forgery bypasses or remote file inclusion. Which impacts the ability of appliances or tools like Web Application firewalls to protect and defend, or perimeter security controls. Fixes are available on Npm downloads.

New Spectre Vulnerabilities found in Linux per The Hacker News

Ah, the wonderful world of speculative attacks aka known as the “sky is falling!” Spectre and Meltdown introduced us to a series of vulnerabilities allowing for things that were “never supposed to happen”. We know “trust but verify”, but need to add “never say never”.

Two new vulnerabilities could potentially allow attackers to bypass mitigations and get their paws on sensitive information from the kernel memory. All versions of Linux prior to 5.11.8 are affected. Patches were being released as of March 20.

Daily Perk 3/252021

The goal is in sight!

Patch it Now: WordPress Woes per Wordfence

WordPress sites are prime targets and rapidly exploited for unpatched vulnerabilities. If you are using Thrive Theme Legacy and plugins, about 100,000 sites are vulnerable and being actively exploited since patches were released March 12. The attached link to Wordfence will tell you what to do. There’s a couple other fixes for the Facebook for WordPress plugin that were highlighted today and found on over 500,000 sites that need your attention. Stay safe!

QNAP brute force attacks ongoing per Bleeping Computer

NAS boxes are great for storage and QNAP is very common. Unfortunately that has made it a prime target for attacks, including targeted ransomware. Right now attackers are using automation assistance to crack credentials for the boxes. There are recommendations out now to secure your QNAP: change the default access port number, make your password really strong, then enable password policies and finally disable the admin account that is being targeted currently. That takes a little more work but worth it. The link to the article walks you through what you need to do 😊

Patch It Now: Critical bug fix for Cisco Jabber per Bleeping Computer. The bug affects Jabber client software for Windows, macOS, Android and iOS. With some work, a remote authenticated attacker could execute arbitrary programs on a device with the vulnerable Jabber software running. I know it’s an enterprise org thing, so there’s plenty of patching to be done before somebody starts exploiting it.

Daily Perk 3/23/2021

CISA warns of threat to power grid from critical flaws in GE Universal Relay per The Hacker News

CISA issued an advisory March 16 warning of critical vulnerabilities in GE’s Universal Relay power management devices. GE has released patches for 9 vulnerabilities affecting numerous relay models. Exploitation of these unpatched flaws could let attackers reboot the UR, access sensitive information, gain privileged access to go deeper and cause more harm, or create a denial of service condition. Also of note is firmware versions prior to 8.1x were found using weak encryption and MAC algorithms for SSH communication (trust me not good) so they were more vulnerable to brute-force attacks for initial access.

Critical infrastructure, like power utilities, is essential to our daily lives, but most people don’t realize there isn’t just standard IT in use, but specialized operational tech systems, often left in place for years with the mindset “if it ain’t broke don’t fix it”. As these once-sequestered systems get increasingly connected or exposed to the Internet, they are less patched and more susceptible to compromise than standard IT.

Sierra Wireless hit by ransomware attack per Bleeping Computer

There has been a steady increase in both the size of the target and the ransom demanded. Sierra Wireless, a major global IoT solutions provider, disclosed they were hit March 20. The company sells products and services a number of verticals: healthcare, industry, energy, technology and more. The company is not sharing more except that they shut down manufacturing plants worldwide and they have “a clear separation between its internal IT and customer facing products and services”.

Telecom communications are critical infrastructure, and never more so than during a pandemic. We know attackers will aim for the pain points to ensure payment. I expect more attacks will be delivering disruptions to essential services at mass scale.

Patch It Now: Google reports targeted exploitation of unpatched devices with Qualcomm chipsets. CVE-2020-11261 It isn’t world on fire and local access to the device is needed – watering hole delivery of evil code will also work.

Daily Perk 3/22/2021

It’s Monday. Again

MS Exchange Servers and BlackKingdom ransomware : Per Bleeping Computer,

This weekend security researcher Marcus Hutchins reported seeing a threat actor run a script to compromise all Exchange servers vulnerable to ProxyLogon. It dropped a Black KingDom ransomware note but did not encrypt anything.

However, Michael Gillepsie of ID Ransomware claims he’a seen 30 unique submissions to his system and device encryptions. Also of note is that back in 2020 corporate networks were being targeted via Pulse VPN vulnerabilities and hit with ransomware known as BlackKingdom, and it’s being determined if these are the same. Stay tuned and more importantly – stay vigilant!

Patch It! Critical vulnerability in Apache OFBiz per The Hacker News

This particular Apache product is “a Java-based web framework” for automating open source enterprise resource planning systems or ERP. I’m guessing there’s a lot out there. CVE-2021-26295 can allow for remote code execution by unauthorized parties via unsafe deserialization in the attack. Deserialization exploits do bad things with data integrity.

This vulnerability affects versions before 17.12.06 so upgrade asap. Please! Because we all recall what happened to unpatched Apache Struts vulnerabilities! Cough – Equifax – cough.

Keep Watch: Active exploits against BIG-IP by F5 ongoing. If you aren’t patched, assume compromise. Seriously 😐