Facing the Reality of Risk Prioritization – Dan DeCloss, Bianca Lewis (BiaSciLab) – PSW #819
Full Audio
View Show IndexSegments
1. Facing the Reality of Risk Prioritization – Dan DeCloss – PSW #819
Public information about exploits and vulnerabilities alone is not enough to inform prioritization, especially with the growing rate and variety of CVEs. Dan DeCloss, founder and CTO of PlexTrac, joins the show to discuss solving the challenges of risk prioritization to drive faster, more strategic assessment cycles. Spoiler: The key is adding context and prioritization to risk-scoring equations.
Segment Resources: https://plextrac.com/get-ready-to-prioritize-risk-with-our-new-contextual-scoring-engine/?utmmedium=techptr&utmsource=securityweekly
https://plextrac.com/video/priorities/?utmmedium=techptr&utmsource=securityweekly
This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them!
Announcements
Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!
Guest
Dan has over 15 years of experience in cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications.
Hosts
2. DCNextGen, Memory Safety And More! – PSW #819
BiaSciLab from DEF CON joins us to discuss DCNextGen! In the security News: MouseJacking still works, CISA recommends a complete rebuild, memory safety and re-writing code, not all doorbells are created equal, putting a firewall in front of your LLM, rugged gear and vulnerabilities, PLCs are not safe, neither are Windows kernels..
Segment Resources: https://www.defcon.kids https://www.BiaSciLab.com https://www.GirlsWhoHack.com https://www.SecureOpenVote.com
Announcements
Join our cybersecurity community on Discord! Connect directly with our expert hosts, join discussions with fellow audience members, and customize your notifications to receive alerts every time an episode of your favorite show publishes. Get your invite at securityweekly.com/discord!
Guest
BiaSciLab is a 17 yr old hacker and maker and the founder and CEO of Girls Who Hack, a non-profit teaching middle school and high school girls the skills of hacking so that they can change the future. She also started Secure Open Vote, her own end to end election system that is completely open source.
Hosts
- 1. Network tunneling with… QEMU?
- 2. Pentagon Leaker Jack Teixeira Pleads Guilty Under a Deal That Calls for at Least 11 Years in Prison – SecurityWeek
- 3. CVE-2024-0039: Critical Android Remote Code Execution Vulnerability
- 4. Hackers exploited Windows 0-day for 6 months after Microsoft knew of it
"In the event Lazarus or another threat actor has already cleared the admin hurdle and has identified a vulnerability in an approved driver, they can install it and exploit the vulnerability to gain access to the Windows kernel. This technique—known as BYOVD (bring your own vulnerable driver)—comes at a cost, however, because it provides ample opportunity for defenders to detect an attack in progress." - Summarized very nicely. This particular vulnerability is pretty devastating: "If an attacker, despite all of these hurdles, manages to exploit a zero-day vulnerability in a built-in driver, they will be rewarded with a level of stealth that cannot be matched by standard BYOVD exploitation. By exploiting such a vulnerability, the attacker is in a sense living off the land with no need to bring, drop, or load any custom drivers, making it possible for a kernel attack to be truly fileless. This not only evades most detection mechanisms but also enables the attack on systems where driver allowlisting is in place (which might seem a bit ironic, given that CVE-2024-21338 concerns an AppLocker driver)." Some have been critical of MS for this: https://cyberplace.social/@GossiTheDog/112027038989119814
- 5. Purism Differentiator Series, Part 6: Security – Purism
Purism represents the folks who love coffee and take it so far that they grow their own plants, roast their own beans, and don't use any electronics when making a cup of Joe. This statement really struck me: "Code is Malware if You Cannot Verify The Source".
- 6. Secure by Design: Google’s Perspective on Memory Safety
- 7. Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware: Researchers
Building upon several previously documented attacks, researchers are able to comprise PLCs via the exposed web APIs. The research is great, and a lot to unpack. They've demonstrated several different types of attacks and state that the techniques can be applied to several different vendors.
- 8. Security Bulletins
- 9. Flipper Zero’s Co-Founder Says the Hacking Tool Is All About Exposing Big Tech’s Shoddy Security
Interesting interview, curious to see what is next!
- 10. Dumping LSASS Like it’s 2019
Yep, that’s right. In 2024, an unsigned, random executable running a Cobalt Strike Beacon can dump LSASS using a 2019-era technique without MDE batting an eye, provided you don’t write the dump file to disk.
- 11. Compromising Industrial Processes Using Web-Based Programmable Logic Controller Malware ≈ Packet Storm
- 12. GTPDOOR – A novel backdoor tailored for covert access over the roaming exchange
- 13. Russian hackers exploit Ubiquiti routers in covert cyberattacks, FBI warns
- 14. dnf5daemon-server: Local root Exploit and Local Denial-of-Service in dnf5 D-Bus Components
- 15. NVD – CVE-2023-52558
- 16. trap-bytes/403jump: HTTP 403 bypass tool
Doesn't appear to have a new bypasses, but makes it easy to test for a suite of 403 bypasses.
- 17. Using Open Source Internet Routing Tools to Monitor a Sanctioned Russian Bank – bellingcat
- 18. GreyNoise Labs – RattaGATTa: Scalable Bluetooth Low-Energy Survey
- 19. Ivanti attacks linked to espionage group targeting defense contractors
- 20. Hugging Face, the GitHub of AI, hosted code that backdoored user devices
- 21. Nvidia publishes eight security flaws patched by new drivers — update to fix the issues
Time to update your graphics drivers, which if you are running Linux, is always a fun time!
- 22. Popular video doorbells can be easily hijacked, researchers find
Do your research before buying things such as doorbells: " the most impactful issue is that if someone is in close proximity to an EKEN doorbell camera, they can take “full control” of it by simply downloading its official app — called Aiwit — and putting the camera in pairing mode by simply holding down the doorbell’s button for eight seconds. Aiwit’s app has more than a million downloads on Google Play, suggesting it is widely used."
- 23. MouseJacking (With Flipper Zero): Tales from Pen Testing Trenches – Brackish Security
Neat to see this in action, still today. The research is from 2016, however, as is evidenced by this post, people still have devices vulnerable to mousejacking (https://www.bastille.net/research/vulnerabilities/mousejack/affected-devices). If you do, find them and update the firmware on them or replace them with something that is not vulnerable. Why? This article shows how you can use a Flipper Zero with an NRF24 add-on and inject a ducky script. Sweet! Note: I have this NRF24 add-on for my Flipper: https://www.tindie.com/products/tehrabbitt/flipper-zero-5v-nrf24-miniboard-by-rabbit-labstm/ (There are two versions, one with an external antenna connector, and one without).
- 24. MITRE Rolls Out 4 Brand-New CWEs for Microprocessor Security Bugs
- 25. How To Hunt For UEFI Malware Using Velociraptor
- 26. Intel Core Ultra vPro Platform Brings New Security Features
- 27. Reggaeton Be Gone
- 28. Protecting Rugged Gear from UEFI Threats and Secure Boot Vulnerabilities
I had fun telling a story in this blog post. However, its a nice segway into rugged computing, where its used, and why Secure Boot is especially important.
- 29. Flatlined: Analyzing Pulse Secure Firmware and Bypassing Integrity Checking
It should be noted that while CISA is recommending Ivanti appliances be re-built from scratch and the ICT be run, there are caveats. Thanks to my co-worker Nate Warfield, we know that the ICT can be tricked and attackers can implant malicious scripts in appliance backups (https://eclypsium.com/research/pwned-balancers-commandeering-f5-and-citrix-for-persistent-access-c2/).
- 1. American Express credit cards exposed in third-party data breach
In a data breach notification filed with the state of Massachusetts under "American Express Travel Related Services Company," the company warned customers their credit cards may have been stolen.
"We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system," explains the data breach notification.
- 2. VMware sandbox escape bugs are so critical, patches are released for end-of-life products
VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products.
- 3. Spyware maker NSO Group ordered to turn over Pegasus code in WhatsApp case
A US federal judge in California has ordered spyware maker NSO Group to share its source code with WhatsApp. The order came about because of a lawsuit filed by WhatsApp against NSO Group over the company’s spyware being used to snoop on 1,400 WhatsApp users. The order does not require NSO Group to reveal their client list or information about their server architecture.
This goes back to 2018/2019 where the NSO group created messaging accounts, setup proxy and relay servers, which sent messages to mobile devices to exploit CVE-2019-3568, a buffer overflow app in the WhatsApp, present in iOS, Android, Windows Phone and Tizen devices. NSO is also facing similar charges from Apple and the Kinght First Amendment Institute and has lost bids for their cases to be dismissed due to foreign state status, or that it is only licensed for national lawful surveillance.
- 4. Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
The Cybersecurity and Infrastructure Security Agency (CISA) and the following partners (hereafter referred to as the authoring organizations) are releasing this joint Cybersecurity Advisory to warn that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways.
Actions: 1 Limit outbound internet connections from SSL VPN appliances to restrict access to required services. 2 Keep all operating systems and firmware up to date. 3 Limit SSL VPN connections to unprivileged accounts.
- 5. Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment
The ransomware attack targeting medical firm Change Healthcare has been one of the most disruptive in years, crippling pharmacies across the US—including those in hospitals—and leading to serious snags in the delivery of prescription drugs nationwide for 10 days and counting. Now, a dispute within the criminal underground has revealed a new development in that unfolding debacle: One of the partners of the hackers behind the attack points out that those hackers, a group known as AlphV or BlackCat, received a $22 million transaction that looks very much like a large ransom payment.
ALPHV/BlackCat affiliates are sabre rattliing about getting cheated out of their share of the Change Healthcare ransom payment, leading many to coclude that is what this transaction was. ALPHV lists 28 companies they are extorting in addition to Change Healthcare, so it's not a given they paid.
- 6. German Authorities Take Down ‘Crimemarket’ Cybercrime Website
Law enforcement authorities in Germany have taken down the Crimemarket website and arrested six people in connection with the “biggest illegal, German-speaking online trading platform.” Crimemarket had an estimated 180,000 registered users. The investigation has been active for several years, and culminated in the February 29, execution of more than 100 search warrants. German police also seized evidence, including technological devices, narcotics, and cash.
German law enforcement is not just investigating the operators, they are also including traders and users. They have been monitoring the platform over an extended period, allowing the platform to operate after they had compromised it to support collecting incriminating information including identification, login credentials and other information.
- 7. Hikvision Patches High-Severity Vulnerability in Security Management System
Chinese video surveillance equipment manufacturer Hikvision has announced patches for two vulnerabilities in its security management system HikCentral Professional. CVE=2024-25063 and CVE-2024-25064 have CVSS scores of 7.5 and 4.3 respectively. While no evidence yet shows these are being exploited in the field, the fix is to update to the latest version of the software. Be sure to go to the Hikvision system relevant for your country/region, also review their security best practices to optomize your installation.
- 8. FCC staff targeted in phishing attack that cloned agency login site
Researchers from Lookout have detected a phishing kit they call CryptoChameleon that is being used to target US Federal Communications Commission (FCC) employees as well as users and employees of cryptocurrency platforms. The campaign uses cloned single sign-on pages to trick targeted users into sharing their account access credentials on mobile devices. This campaign captured usernames, passwords, password reset URLs and even photo IDs.
- 9. Georgia’s Largest County Is Still Repairing Damage From January Cyberattack
The government of Fulton County, George, has not fully recovered from a late-January cyberattack against their IT systems. The incident took down the office phone system and prevented clerks from issuing vehicle registrations, marriage licenses, and other permits. The attackers have also threated to leak sensitive data they claim to have taken from Fulton County systems.
Fulton County was a LockBit victim and was one of the sites targeted after the LockBit takedown/re-emergence saying the attackers still had their data and demanded payment, Interestingly, even though the deadline passed without payment, no data was released. Meanwhile, the county is using paper forms to process jail detainees, residents cannot pay utility bills or access property records online, and clerks are unable to issue marriage licenses or firearm permits.
- 10. South Korea says semiconductor industry targeted by cyber-spies from North
North Korean hackers breached at least two South Korean microchip equipment companies in recent months, stealing product design drawings and facility site photos, according to South Korea’s spy agency. NIS says the attacks targeted Internet-exposed servers through known vulnerabilities to gain initial access to corporate networks. NIS says the cyber espionage groups used “living-off-the-land” techniques to hide from tools that might have detected their presence in the networks.
Have you had a strategy discussion on detecting, and thwarting, a living-of-the-land attack?
- 11. Examining Malicious Hugging Face ML Models with Silent Backdoor
Researchers from JFrog have detected more than 100 malicious artificial intelligence/ machine learning (AI/ML) models in the Hugging Face platform. When downloaded and, the malicious code installs backdoors and other malware on end-user devices. Most of what JFrog detected seem to be proof-of-concepts; just 10 were discovered to actually be malicious.
The challenge is detecting the malicious capabilities of these AI/ML models. While it appears they were caught flat footed, Hugging Face has since added process to do malware, pickle and secrets scanning for every file in every reposittory for malicious code, unsafe deserialization or sensitive information and alert moderators/users. Additionally Hugging Face developed a new model for securely storing model data called "safetensors."
- 12. #StopRansomware: Phobos Ransomware
The US Cybersecurity and Infrastructure Security Agency (CISA) , the FBI, and the Multi -State Information Sharing and Analysis Center (MS-ISAC) have published a joint cybersecurity advisory warning that Phobos ransomware is being used to attack networks at government and critical infrastructure organizations. The document includes a list of tactics, techniques, and procedures (TTPs) used by the ransomware actors, as well as indicators of compromise (IOCs) Phobos operates on a ransomware-as-a-service (RaaS) model. The advisory recommends securing RDP ports, prioritizing the remediation of known exploited vulnerabilities, and implementing EDR solutions.
Make sure you're keeping an eye on all remote-access/RDP solutions in play, not just MS RDP and VNC.
- 1. ‘A single optical fiber’: Scientists build a silicon-less computer that use light waves and surpasses existing systems for classification — could this be the ultimate AI CPU?
We utilize a single optical fiber to mimic the computational power of numerous neural networks. Data are encoded onto the color channels of ultrashort light pulses. These pulses carry the information through the fiber, undergoing various combinations, amplifications, or attenuations.
- 2. Secure by Design: Google’s Perspective on Memory Safety
We see no realistic path for an evolution of C++ into a language with rigorous memory safety guarantees that include temporal safety. At the same time, a large-scale rewrite of existing C++ code into a different, memory-safe language appears very difficult and will likely remain impractical. This means that we will likely be operating a very substantial C++ codebase for quite some time. We thus consider it important to complement a transition to memory safe languages for new code and particularly at-risk components with safety improvements for existing C++ code. Memory safety bugs are responsible for the majority (~70%) of severe vulnerabilities in large C/C++ code bases. Android 13 introduced 1.5M lines of Rust with zero memory safety vulnerabilities. This prevented an estimated hundreds of memory safety vulnerabilities.
- 3. Hackers steal Windows NTLM authentication hashes in phishing attacks
Phishing emails attach unique (per victim) ZIP archives containing HTML files that use META refresh HTML tags to trigger an automatic connection to a text file on an external Server Message Block (SMB) server..
- 4. BlackCat ransomware turns off servers amid claim they stole $22 million ransom
The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate responsible for the attack on Optum, the operator of the Change Healthcare platform, of $22 million. The affiliate says that they still have 4TB of Optum's “critical data,” describing it as “production data that will affect all Change Healthcare and Optum clients.”
- 5. CISA cautions against using hacked Ivanti VPN gateways even after factory resets
Attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets. Furthermore, they can also evade detection by Ivanti's internal and external Integrity Checker Tool (ICT). CISA urged all Ivanti customers today to "consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment"
- 6. Cloudflare wants to put a firewall in front of your LLM
“Firewall for AI” includes two capabilities: Advanced Rate Limiting, and Sensitive Data Detection. In coming months, Cloudflare plans to test a prompt validation feature to prevent prompt injection attacks.