Bullseye OS, Unicode Mystery, ‘Bearded Barbie’ CatPhishing, & NginxDay – PSW #736
This week in the Security News: Hackers have found a clever new way to steal your Microsoft 365 credentials, Former Ethereum Developer Virgil Griffith Sentenced to 5+ Years in Prison for North Korea Trip, An update to Raspberry Pi OS Bullseye, Bearded Barbie hackers catfish high ranking Israeli officials, & Nginxday!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Hosts
Paul Asadoorian
Principal Security Researcher at Eclypsium
- 1. Hackers have found a clever new way to steal your Microsoft 365 credentials"Researchers from MalwareHunterTeam noted Static Web Apps have two features that are being abused with ease - custom branding for web apps, and web hosting for static content such as HTML, CSS, JavaScript, or images."
- 2. First Malware Targeting AWS Lambda Serverless Platform Discovered"Another notable feature of the malware is its use of DNS over HTTPS (DoH) for communicating with its command-and-control server ("gw.denonia[.]xyz") by concealing the traffic within encrypted DNS queries." - Also, it doesn't target a weakness in Lamba, but checks for that environment. Original article: https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
- 3. Former Ethereum Developer Virgil Griffith Sentenced to 5+ Years in Prison for North Korea Trip"What the judge found most damning, perhaps, was a photo of Griffith presenting at the conference, wearing a traditional North Korean suit and standing in front of a blackboard on which it read “No sanctions!” with a smiley face."
- 4. Microsoft’s New Autopatch Feature to Help Businesses Keep Their Systems Up-to-DateSounds like what we've been doing with 3rd party tools all along? "Updates are applied to a small initial set of devices, evaluated, and then graduated to increasingly larger sets, with an evaluation period at each progression," Microsoft said. "The outcome is to assure that registered devices are always up to date and disruption to business operations is minimized."
- 5. An update to Raspberry Pi OS Bullseye – Raspberry Pi"Up until now, all installs of Raspberry Pi OS have had a default user called “pi”. This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place. But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials."
- 6. NginxDayStrange disclosure: "As Nginx have now released a blog post about the public releases of information, we've emailed them with a description, some familiarities of the issue that they highlighted over and assets affected. However, people are quick to jump on the "This is fake" or "This isn't anything" bandwagon. As we got no answer to if there is any bounty offered by Nginx for the findings, we've not shared any deeper information about this. If there is no bounty or even reward, we've looked at the other option that would be to sell the exploit on either breached.co, exploit.in or other sites. (We've been offered about 200K in XMR for the exploit)." NGINX blog post: https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/
- 7. Bearded Barbie hackers catfish high ranking Israeli officialsCatphished? "After gaining the trust of the target by interacting with them for a while, the adversaries suggest migrating the conversation to WhatsApp, supposedly for better privacy. This is when the conversation takes an erotic turn, with the threat actors suggesting another pivot to a supposedly more discreet Android IM app, which is actually the VolatileVenom malware. Simultaneously, the operative sends a link to a RAR file that purportedly contains a sexual video, but which in reality is a downloader for the BarbWire backdoor."
- 8. How Bitcoin Tracers Took Down the Web’s Biggest Child Abuse SiteThis is a long but amazing read. So many twists and turns, and thankfully we have investigators that don't give up and are able to take down scumbags at scale.
- 9. Amazon RDS Vulnerability Led to Exposure of CredentialsInteresting to see how this is exploited: "The log_fdw extension, AWS also notes, is pre-installed in both Aurora PostgreSQL and Amazon RDS for PostgreSQL. A privileged, authenticated user able to trigger the bug could use the leaked credentials to gain elevated access to database resources. “They would not be able to use the credentials to access internal RDS services or move between databases or AWS accounts. The credentials could only be used to access resources associated with the Aurora database cluster from which the credentials were retrieved,” AWS notes."
- 10. OpenSSH Moves to Prevent ‘Capture Now, Decrypt Later’ Attacks"According to notes published alongside the release of OpenSSH 9.0, the open-source group will now use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default, a move that includes a backstop against future discoveries of flaws in the NTRU algorithm." - Huh? Some resources: https://ntruprime.cr.yp.to/ and https://cryptography.io/en/latest/hazmat/primitives/asymmetric/x25519/#
- 11. Apache Releases Security Advisory for Struts 2
- 12. Enemybot: a new Mirai, Gafgyt hybrid botnet joins the sceneBorrowing from Mirai, still.. "This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for cryptomining is a big possibility." Original Source: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
- 13. Microsoft Zero-Days, Wormable Bugs Spark Concern
- 14. Russia’s Sandworm hackers attempted a third blackout in UkraineTurn the power off once, shame on you. Let it happen again, shame on me: "In Tuesday's press briefing, SSSCIP's Zhora took the opportunity to argue that the relatively limited damage from Russia's cyber operations represents not merely Russia's lack of focus on cyberwar as it carries out a full-blown physical war, but also Ukraine's growing ability to defend itself in the digital domain. “We have been dealing with an opponent that has been constantly training us, drilling us. Since 2014 we've been under constant aggression, and our expertise is unique in how to rebuff this aggression,” says Zhora. “We're stronger. We're more prepared. And of course, we will secure victory.”"
- 15. Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware – Microsoft Security Blog
- 16. Russian Hackers Tried Attacking Ukraine’s Power Grid with Industroyer2 Malware
Larry Pesce
Product Security Research and Analysis Director at Finite State
Lee Neely
Senior Cyber Advisor at Lawrence Livermore National Laboratory
- 1. Microsoft takes down APT28 domains used in attacks against UkraineMicrosoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains that were being used by the group as attack infrastructure to hit various Ukrainian institutions and the media.
- 2. First Malware Targeting AWS Lambda Serverless Platform DiscoveredMalware dubbed "Denonia" being leveraged in attacks targeting the Amazon Web Services' (AWS) Lambda serverless computing platform. Denonia is programmed in the "Go" language and includes a customized "XMRig" cryptocurrency mining variant.
- 3. SuperCare Health Data Breach Impacts Over 300,000 PeopleCalifornia-based respiratory care provider SuperCare Health recently disclosed a data breach affecting more than 300,000 individuals. Breached 7/23-27/21 disclosed 2/4/22 because of analysis. How long is too long?
- 4. Sandworm hackers fail to take down Ukrainian energy providerThe Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical subsystems using a new version of the CaddyWiper data destruction malware.
- 5. FFDroider, a new information-stealing malware disguised as Telegram appResearchers say they have observed threat actors leveraging a new piece of Windows information-stealing malware dubbed "FFDroider" that is disguised as the Telegram instant messaging app and specifically designed to steal targeted victims' credentials and browser cookies.
- 6. Chinese hackers are using VLC media player to launch malware attacksAccording to Symantec, as part of the attacks, Cicada uses a "clean" version of VLS to drop a malicious file with VLC's export functions, which is a technique frequently used by hackers to introduce malware into legitimate software.
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element