Paul's Security WeeklySubscribe
Vulnerability Management, Critical Infrastructure Security, Asset Management, Supply chain, Security Staff Acquisition & Development

PSW #733 – Stephen Ward, & David Kennedy

Full Audio

View Show Index

Segments

1. Managing Shadow Code & the Blind Side in 3rd Party Risk – Stephen Ward – PSW #733

With all of your focus and investment on 3rd party risk management, there is likely still a blind-side that remains unaddressed. It is an area that should be moved to the top of your priority list - both for its potential to cause material losses in the form of response costs and fines and judgements, and for the ease in which it can be mitigated. It is a risk introduced by the 3rd party vendors you rely upon (and the nth parties they work with) to power and enhance your website. The threat of JavaScript based attacks - click-jacking, digital skimming, formjacking, defacement, "Magecart" - exists for any organization collecting sensitive data or conducting transactions through their web properties. Attacks of this type have done damage to some of the biggest brands in the world - costing household names like British Airways tens of millions - and they happen by the hundreds per month. Already in 2022, we've seen headlines of major client-side attacks like the one that hit Segway - potentially impacting nearly a million consumers.

This is an area of exposure introduced through your own code, and by your partners, that can only be addressed at the client-side. It remains widely unaddressed, as focus in website security to this point has been on securing the server side.

Join us for an exploration of the threat of these attacks, real-world examples of the material impact they have caused, and dialogue on the approaches to mitigating this risk with pros and cons of each.

Segment Resources:

Our core whitepaper https://info.sourcedefense.com/event/client-side-white-paper-2022?leadsource=White%20Paper

Blog on the blind side topic https://sourcedefense.com/resources/blog/wheres-the-blind-side-in-your-3rd-party-risk-its-on-the-client-side/

Free risk report on attendee's web properties https://sourcedefense.com/check-your-exposure/

This segment is sponsored by Source Defense. Visit https://securityweekly.com/sourcedefense to learn more about them

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Guest

CMO at Source Defense

Stephen Ward is CMO at Source Defense – the pioneer in client-side security. He has been with the firm since late 2021 and is responsible for all aspects of go to market. Stephen is a serial cyber security entrepreneur with a 25-year long career in Marketing. In his career, he has been fortunate enough to work for some of the most innovative, category creating companies in our space. He helped bring forensics to the forefront in his time at NetWitness, helped drive change in endpoint security while at Invincea, brought threat intelligence to the mainstream while at iSight Partners, drove real change in OT/ICS security while at Claroty, helped create the cyber risk quantification market while at RiskLens and through his work with the FAIR Institute. Don’t hold his title against him – he’s more than a Marketing person – he’s been dedicated to driving better outcomes for the good guys in cyber security for the majority of his career.

Hosts

Principal Security Researcher at Eclypsium
Executive Director at Guardedrisk

2. Baby Food, Lapsus$, Anonymous Vs. Printers, UEFI Rabbit Holes, & Browser-In-Browser – PSW #733

In the Security News: insiders inside NASA, BIND is in a bind again, Lapsus$ is on a tear, ripping at Microsoft and Okta, anonymous hacks printers, The UEFI security rabbit hole goes DEEP, Microtik and Tickbot, Browser-in-the-Browser attacks, Nestle gets attacked for not wanting to hurt babies, just another sabotage, & more!

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Hosts

Principal Security Researcher at Eclypsium
  1. 1. How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects – Cycode
    Command injection for Github actions, yikes
  2. 2. Why We Haven’t Seen Debilitating Cyberwar in Ukraine
    meh, lots of speculation: "One was that Russian hackers are not nimble enough to compromise Ukrainian targets during the invasion; a second was that stealthy cyberattacks aren’t that useful when compared to the damage that Russian troops are doing with missiles and bombs; and thirdly that Russian hackers are too busy protecting their own digital infrastructure."
  3. 3. High-Severity Vulnerabilities Patched in BIND Server
    Looks like DoS-resulting vulnerabilities, though still could be useful to take out strategic DNS servers, if that's your thing.
  4. 4. Anonymous hacks unsecured printers to sends anti-war messages across Russia
    I still can't understand why people make printers available on the Internet: "The printers were misconfigured, and manually forwarded on the Russian routers. In every case we have reviewed, the port was deliberately forwarded."
  5. 5. Over 200,000 MicroTik Routers Worldwide Are Under the Control of Botnet Malware
    Crazy: "The disclosure also coincides with a new report from Microsoft, which revealed how the TrickBot malware has weaponized MikroTik routers as proxies for command-and-control communications with the remote servers, raising the possibility that the operators may have used the same botnet-as-a-service." Also, links to this in the article: https://eclypsium.com/2021/12/09/when-honey-bees-become-murder-hornets/
  6. 6. Exploring a New Class of Kernel Exploit Primitive – Microsoft Security Response Center
  7. 7. High-Severity UEFI Vulnerabilities Patched in Dell Enterprise Laptops
    Yea: "These also prove that the majority of enterprise tools available for source code analysis are not suitable for pinpointing firmware-specific security defects. There are multiple reasons, one of the most obvious being the differences in implementations of the memory management functions compared to the non-firmware-specific software. This leads to a false sense of security when no vulnerabilities are detected at source code level." And yep: "Unfortunately, most outsourcing companies developing firmware code for major device vendors do not have product security teams or sometimes even a single employee dedicated to mitigating security risks" - So many examples too, like vendors going to market with a 7-year-old Linux kernel and binaries.... Better article too: https://binarly.io/posts/AMI_UsbRt_Repeatable_Failures_A_6_year_old_attack_vector_still_affecting_millions_of_enterprise_devices And also, these are like 6-year-old vulnerabilities: "Totally I discvoered three 0day vulnerabilities in NvmeSmm, SdioSmm and UsbRt drivers from AMI and one in ItkSmmVars driver from Intel. Vulnerabilities was reported to Intel at 15.07.2016 and after several working days both Intel and AMI confirmed all of the security issues. Intel decided to release a single advisory INTEL-SA-00057 to cover all four vulnerabilities:" (Ref: https://github.com/Cr4sh/Aptiocalypsis)
  8. 8. New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable
    "Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and its basically indistinguishable. The image below shows the fake window compared with the real window. Very few people would notice the slight differences between the two." Ref: https://mrd0x.com/browser-in-the-browser-phishing-attack/ - Also, I believe the pop-up window uses an image to fake the URL bar, which is an awesome trick (though I did not dig through the source to check if this is actually what its doing). UPDATE: Okay I looked at the source and yes, this is what its doing :)
  9. 9. Okta investigating claims of customer data breach from Lapsus$ group
    Uh Oh: "Okta confirmed today they suffered a security incident in January when hackers compromised a laptop of one of its support engineers that could initiate password resets for customers. An investigation into the breach showed that the threat actors had access to the laptop for five days, during which they were able to access Okta's customer support panel and the company's Slack server." - What could you get from Slack and the support channel? https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/
  10. 10. Information About HubSpot’s March 18, 2022 Security Incident
  11. 11. Lapsus$ hackers leak 37GB of Microsoft’s alleged source code
    Source code may not be my target at MS, backdoors in the update servers would be my personal favorite: "In a new blog post published tonight, Microsoft has confirmed that one of their employee's accounts was compromised by Lapsus$, providing limited access to source code repositories." Ref: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/
  12. 12. Anonymous released 10GB database of Nestlé
    This is where the wild west approach gets messy: "Anonymous has called for a total boycott of Nestle products after the Swiss food conglomerate continued to supply essential goods to Russia despite mounting pressure from competitors to cut ties. In response to intense public pressure to cut ties with Russia in protest of its military assault on Ukraine, more than 400 multinational corporations have either partially or completely exited the country. Nestlé announced earlier this month that it would suspend all exports of its products from Russia except for essential items such as baby formula." - I mean, yea, baby formula.
  13. 13. OffSecOps: Using Jenkins For Red Team Tooling – HTTP418 InfoSec
  14. 14. Open Source Maintainer Sabotages Code to [NOT] Wipe Russian, Belarusian Computers
    "RIAEvangelist told Motherboard in an email that “There was no actual code to wipe computers. It only puts a file on the desktop.” He then pointed to a Twitter account he said belonged to him and which had now been targeted by hackers."
Executive Director at Guardedrisk
Retired Senior Cyber Advisor at Lawrence Livermore National Laboratory
  1. 1. Most NASA Systems at Risk From Insider Threats: Audit
    NASA’s Inspector General has concluded an audit of the agency’s information technology systems that found its classified platform has effective insider threat countermeasures. However, the agency’s unclassified systems (which do contain sensitive information) possess substantial insider threat risks and require attention.
  2. 2. Emotet malware campaign impersonates the IRS for 2022 tax season
    The Emotet malware crew, reared its head in 2014 and has become the world’s most feared financial crime-oriented hacking group. They are ramping up their malware campaign as America’s tax season escalates. Their phishing emails emulate something that would be sent from the Internal Revenue Service, with malicious file attachments that the reader is urged to immediately open.
  3. 3. Exotic Lily initial access broker works with Conti gang
    Researchers say they have linked the new initial access broker "Exotic Lily," which provides access to previously compromised entities, to operations being conducted by the "Conti" ransomware group. Exotic Lily is currently exploiting the Microsoft Windows MSHTML vulnerability (CVE-2021-40444) in phishing campaigns that have distributed more than 5,000 phishing emails per day targeting some 650 organization from around the world.
  4. 4. FBI: Avoslocker ransomware targets US critical infrastructure
    The FBI, U.S. Treasury Department, and the Financial Crimes Enforcement Network (FinCEN) have issued a TLP:WHITE joint security advisory warning that the "AvosLocker" ransomware-as-a-service (RaaS) is being actively used in attacks targeting various U.S. critical infrastructure sectors.
  5. 5. High-Severity Vulnerabilities Patched in BIND Server
    The Internet Systems Consortium (ISC) has released security updates to address three high-severity flaws (CVE-2022-0635, CVE-2022-0667, CVE-2021-25220) affecting the Berkeley Internet Name Domain (BIND) server software.
  6. 6. Anonymous leaked data stolen from Russian pipeline company Transneft
    Anonymous hacked Omega Company, the in-house R&D unit of Transneft, the Russian oil pipeline giant, and leaked stolen data. Anonymous collective claims it has 79GB of stolen emails, and leaked those emails on the "Distributed Denial of Secrets" whistleblower site.
  7. 7. White House issues call to action in light of new intelligence on Russian cyberthreat
    The Biden administration once again urged private sector firms to address known vulnerabilities and harden their cyber defenses given the increased possibility of Russian cyber attacks targeting U.S. critical infrastructure.
  8. 8. Microsoft investigating claims of hacked source code repositories
    Microsoft has revealed it is now investigating claims from the "Lapsus$" data extortion gang that it breached Microsoft's internal Azure DevOps source code repositories on March 20 and stole data.
  9. 9. Okta investigating claims of customer data breach from Lapsus$ group
    According to Lapsus$, it was able to steal "superuser/admin" access to Okta.com, which allowed it to access the customer data. Per CEO Todd McKinnon, "In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January."

3. TrevorC2 – David Kennedy – PSW #733

Check out our latest interview with our good friend Dave Kennedy! When not pumping iron Dave is hard at work understanding and implementing C2 infrastructure. TrevorC2 is a really cool framework that allows for some pretty stealthy C2 communications. Tune-in to learn more!

Announcements

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Guest

Faculty at IANS Research and Founder of Binary Defense and TrustedSec

David Kennedy is a Faculty member at IANS Research and Founder and Owner of TrustedSec, an information security consulting firm, and Binary Defense, a Managed Security Service Provider (MSSP) that detects attackers early to prevent large-scale invasions. In addition to creating several widely popular open-source tools, including ‘The Social-Engineer Toolkit’ (SET), PenTesters Framework (PTF), and Artillery. David has also released security advisories, including zero-days, with a focus on security research.

Prior to his work in the private sector, Dave served in the United States Marine Corps (USMC), focusing on cyber warfare and forensics analysis activities, including two tours to Iraq. He also served on the board of directors for (ISC)2, which is one of the largest security collectives and offers certifications such as the CISSP.

Hosts

Principal Security Researcher at Eclypsium
Executive Director at Guardedrisk

Related

You can skip this ad in 5 seconds