Voltron, Karakurt Extortion, 1 Click Workaround, Snowden Citizenship, & Casey Ellis – PSW #757

"A decree signed Monday by Russian President Vladimir Putin listed Snowden as one of 75 foreign citizens listed as being granted Russian citizenship. After fleeing the U.S. in 2013, Snowden was granted permanent Russian residency in 2020 and said at the time that he planned to apply for Russian citizenship without renouncing his U.S. citizenship." - Could he be called for military services for Russia? Has he disclosed secrets to Russia? Also, curious how he is making a living these days...

"On August 17, the attackers used the hijacking to first obtain a TLS certificate for cbridge-prod2.celer.network, since they were able to demonstrate to certificate authority GoGetSSL in Latvia that they had control over the subdomain. With possession of the certificate, the hijackers then hosted their own smart contract on the same domain and waited for visits from people trying to access the real Celer Bridge cbridge-prod2.celer.network page."

"A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen’s captives held guns to his head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life." - SIM swapping gets real. Why is it typically younger kids who are "holders"?

"After chatting with Jeffrey last July, I decided to create my own "just metadata viewer". Since metadata contains helpful hints and internal information about files, I named my new service Hintfo (it's online at https://hintfo.com/). It works as easily as Jeffrey's: You upload a file to Hintfo and it shows you the metadata."

It can be costly to properly destroy data on older equipment (we interviewed someone a while back on this subject). However, I think its still cheaper than paying fines of $35 million.

"Microsoft picks names from the periodic table. CrowdStrike gives Chinese state groups a name with "Panda" in it, Russian state groups get a "Bear" name, Iranian groups have "Kitten" names, and North Korean group are "Chollima." Broadcom's Symantec uses names of insects. Palo Alto Networks names groups after constellations." - Not gonna lie, I kinda like how CrowdStrike does it. But why can't we all agree on a standard? I mean, we agree on so many other stand...oh nevermind...

"Trojan ZuoRAT was found to target initially routers to then enumerate and move laterally to workstations in the victim’s network. Beyond that, we spoke directly with security leaders at financial organizations, who confirmed that IP cameras are among their riskiest devices according to their own internal security assessments." - I'm concerned with the bricking of devices being tied to ransomeware. Its so easy to brick a device remotely today, just keep dropping devices until a ransom is paid, not that I want to give anyone ideas. However, recovery from a firmware wipe is hard.

This must be trivial to exploit: "This is a code injection vulnerability in the User Portal and Webadmin components of the Sophos firewall that could be abused by remote attackers to execute arbitrary code on the vulnerable versions of Sophos firewalls." Ref: https://thesecmaster.com/how-to-fix-cve-2022-3236-a-critical-rce-vulnerability-in-sophos-firewall/

Hot mess: "This vulnerability happens due to a vulnerable version of ApacheOfBiz (CVE-2020-9496) that exposes an XML-RPC endpoint at /webtools/control/xmlrpc in case of Manage Engine products this endpoint is /xmlrpc. This endpoint can deserealizes java objects, as part of this processing, any serialized arguments for the remote invocation are deserialized, therefore if the classpath contains any classes that can be used as gadgets to achieve remote code execution, an attacker will be able to run arbitrary system commands." References: https://www.bigous.me/2022/09/06/CVE-2022-35405.html and https://github.com/viniciuspereiras/CVE-2022-35405/

This is the dangerous part: "In terms of supply chain impact, it will take 6-9 months based on our data for the vulnerabilities to be patched by device manufacturers at least on all the enterprise devices"

Allegedly young attacker, got in over their head; initially tried asking for a $1M ransom to not release the data; then madly backpedaled, apologized, said they deleted the data Some very interesting talking points here: 1. Optus is Australia's 2nd largest mobile telecom. It is a subsidiary of Singtel, a Singaporean government-owned telecom conglomerate that happens to be a huge cybersecurity investor (they bought Trustwave back in 2015 and rumors of them selling it have been swirling for the past few years) 2. The attack vector was apparently an unauthenticated API that gave access to the entire live customer database. It was allegedly part of a test network that wasn't supposed to be exposed to the Internet (whoopsie!) 3. The attacker alleges they would have reported the security issue, but couldn't find any way to do so (no bug bounty, VDP, security contact, Security.txt, DNS security record) 4. They released a 10,200 record sample as proof they had the data, but allegedly "nearly 10 million records" were exfiltrated, making it potentially Australia's biggest breach in terms of impact to individual citizens 5. Was texting individuals, trying to ransom each record individually for $1300 per record. Bold enough to be requesting bank transfer to a domestic (CBA) bank!!