Blinky Boxes – PSW #712

From Sergiu Gatlan at BleepingComputer: A year from tomorrow, basic auth will _start_ to be permanently disabled. Except SMTP, which can be turned back on after that. This is *just* for Exchange Online, doesn't affect on-prem Exchange. "While Microsoft did not provide the exact reason why they decided to make this announcement this week, the cause is likely a Guardicore report (https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-autodiscover-bugs-leak-100k-windows-credentials/) that revealed how hundreds of thousands of Windows domain credentials were leaked in plain text by misconfigured email clients using basic auth."

By Catalin Cimpanu for The Record: As we're having the conversation, wondering when security and IT teams might get comfortable with pushing automated responses and remediation in place, Microsoft goes all Leroy Jenkins on us! Basically, if you're running on-prem Exchange, you're going to get the "Exchange On-Premises Mitigation Tool" installed and enabled by default. When there are critical vulns, mitigations for exploit attempts will get automatically pushed to this tool! It's basically like a custom WAF/IPS in-line with your Exchange server.

From Ax Sharma at Ars Technica: Apparently, using Azure AD APIs, it's possible to brute force accounts with single factors and an Azure AD password, without any limitations or indication that it's occurring. It's because these APIs return different results if the password is incorrect. Conditional access and MFA don't mitigate the attacks, because these are secondary stages that don't occur unless primary authentication is first successful.

By Steve Zurier for SC Media: Well, this _should_ make security easier, but we all know these folks will leave stuff running in the traditional data center, they won't get cloud security right on the first pass, and they'll double, if not triple their attack surface. [shrug]

From Martin Matishak at The Record: - “We absolutely agree it’s long past time to get cyber incident reporting legislation out there,” Cybersecurity and Infrastructure Security Agency chief Jen Easterly said during a Senate Homeland Security Committee hearing. - National Cyber Director Chris Inglis “wholeheartedly” backed Easterly’s comments, adding such information would be “profoundly useful” to crafting digital strategies, improving responses to intrusions and determining how best to spend federal dollars to prevent future attacks.

By Patrick Howell O'Neill for the MIT Technology Review: TL;DR is that 0days are up because we're finding and documenting more than ever. There are better incentives for finding and reporting them, so that could be a contributing factor. They're also becoming more valuable and generally, the skill factor necessary for pulling off 0days is going up.

I absolutely love this quote: John Bambenek, principal threat hunter at Netenrich, added that when a hacker wants to steal money or information, they will break into a computer. However, when they want to do “really bad things” or commit human rights violations, hackers want to access a mobile phone.

From Catalin Cimpanu at The Record: TL;DR Apple is pissing off even more researchers, their lock screen bypass mitigations didn't work, they didn't bother to check with the researcher that reported the bug, and they underpaid him.

From Catalin Cimpanu at The Record: First off, the Lithuanian government does audits on smartphones and publicly releases the results (https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysis_env3.pdf) - how cool is that? Aaaaand they found some stuff. - The OnePlus 8T 5G was cool (and I believe is actively available in the US from carriers). - The Huawei phone (which no longer runs mainstream Android and isn't allowed to use Google services) will push you to alternative app stores if an app you're looking for isn't present. These alternative app stores are full of malicious copies of legitimate apps (giant surprise). - The Xitami is the real fun one. From the article: officials said they uncovered a secret censorship module that could detect and censor 449 keywords or groups of keywords in both Chinese and Latin characters related to sensitive topics inside China, such as “Free Tibet,” “Voice of America,” “Democratic Movement,” “Longing Taiwan Independence,” and others. It also sends off secret encrypted SMS messages. No way to tell what data it contains.

By Chris Duckett for ZDNet: For Huawei and ZTE equipment purchased between April 17th, 2018 and June 30th, 2020 are eligible to seek reimbursement for a replacement out of this $1.9bn fund.

By Martin Matishak for The Record: The Record has quickly become my new favorite source for security articles. I interviewed the founding editor yesterday and have been floored by the quality and quantity of stories they're putting out. Tyler Robinson's TL;DR on this story: - Russia is still Russia - focused on pulling as much information as quietly as possible while positioning assets to disrupt if needed. - China is extremely active - more so than any other country the US sees. The US has often seen their efforts as clumsy, but there are some elite groups mixed in with the noise. - Iran is focused on regional related systems and topics. They don't seem to care about what they do or how they do it. - North Korea is focused primarily on capturing financial resources, primarily cryptocurrency, and recently vaccine maker IP.

- Targeting companies: at least $100m in revenue. Off-limits (supposedly): healthcare, critical infrastructure, oil and gas, defense, non-profit and govt orgs. Looking to buy existing access to companies, doesn't want to mess around with hacking VPNs. - MO: attacks go under the radar - if the victims pay, they don't make any of it public. - Software development: all-new, modern code, borrowing ideas (not code) from other ransomware where it makes sense. - Careful not to make the same mistakes as others. - Suggests DOJ was able to recover bitcoins from the Colonial Pipeline ransom because partners/affiliates transferred BTC to easily seized web wallets. - Hiring: looking for pen testers (pays so much more than pen testing, this doesn't seem difficult)

Market for selling data, they don't do any hacking. Goal is to sell victims' data back to them. Will sell to others if victims aren't willing to buy. If no one buys it, they release it publicly 100% of the time. They refer to it as an infosec 'audit'. They mention media firms and US government orgs as "partners". Why is the US so targeted? Not as much Europe and Asia? "In the US, people like to insure, but not to defend."

This interview was done in March 2021 - before REvil was in the news for hitting Quanta, JBS, Kaseya, and others. The individual being interviewed seems to have made around half a billion, personally??? - Actively concerned with competition, innovation, and brand reputation - Patient, willing to take the time to do things right (except for choosing targets, apparently...) - They bought the GandCrab code - Avoid CIS, including Georgia and Ukraine; also avoid poorer companies less likely to pay - As many as 60 affiliates at one point in time - 30% of crew that leaves, leaves because they've made enough money for a lifetime... but most eventually come back - affiliates claim to have access to ballistic missile launch systems, a US Navy ship, nuclear power plant, weapons factory - One affiliate retired after making $50m, retired, came back 4 months later - try to avoid politically hot targets, nothing good comes of it - especially target cyber insurance firms - they hit all the clients, then the insurer themselves

By Alexander Culafi for TechTarget: The founder and CEO of Group-IB, a Russian cybersecurity company known for its threat hunting and cybercrime research, was arrested Tuesday under treason charges. Sachkov is accused of "transferring intelligence data to foreign special services."

By Kristen Korosec for TechCrunch: "Moeller describes this as 100 screaming babies"

From the BBC: This research, led by Dr Andreea Radu, showed that it was possible to trick Apple Pay into sending money to an unauthorized payment reader, without unlocking the phone. Apple and VISA tried to downplay it, calling it impractical or saying it could only happen in a lab. Based on the research, this is flat wrong and is a prime opportunity for criminals to take advantage of using skimmers! - It only requires Apple Pay and a VISA card in "transport mode" - ticket gate readers can send "magic bytes" to bypass Apple Pay lock screens - surprise: anyone can capture and replay these magic bytes to 'pickpocket' funds from Apple Pay if they're in physical proximity to the phone; all you need is an Android phone and a Proxmark RDV4 - though transport mode is designed for easy payment for public transit, there doesn't appear to be a reasonable ceiling on the transaction amount - it's also not restricted to transit merchant codes (basically, you could use a coffee shop merchant code for the transaction) - Apple said VISA should fix it by performing additional fraud prevention checks - VISA said Apple should fix it since Samsung Pay wasn't affected by the issue - Either VISA or Apple could fix it alone, but once again, the consumer is the one that loses here when neither do - paper and source code: https://practical_emv.gitlab.io/