Privacy, Security & OSINT #250 – Consequences of Product Refunds: This week they discuss the ways your store refunds are monitored and used against you, plus a new flag-planting lesson regarding vehicle insurance companies.
Smashing Security #261 – North Korea hacked, DEA cosplay, and Horizon Worlds drama: Who’s wearing the pyjamas while they take down North Korea’s internet? Is it a case of cop or cosplay in Oregon? And what’s to fear about the metaverse?
Risky Business #654 – FBI arrests deeply annoying cryptocurrency influencers.
Darknet Diaries #110 – Spam Botnets: This episode tells the stories of some of the worlds biggest spamming botnets.
Human Factor Security – Episode 178 Gina Fiore: In this episode Jenny chats to professional gambler Gina Fiore. They discuss Gina’s awesome career and the similarities it has with social engineering as well as evasion tactics, disguises and the pressures of undercover work.
Sh*t you don’t learn in school – 42. Finding Meaning in Sudden Death: Death is universal part of the human experience. During our lives, we often must confront the painful reality of death around us, and eventually, we face that reality ourselves.
Cybercrime Magazine – History of Hacking, Joe “Kingpin” Grand, Hardware Hacker. Former L0pht Member.: Joe Grand is a product designer, hardware hacker, and the founder of Grand Idea Studio, Inc. He specializes in creating, exploring, manipulating, and teaching about electronic devices.
EFF How to fix the internet – Saving Podcasts from a Patent Troll: Imagine getting a letter in the mail—and then another, and then another—telling you that if you don’t pay $25,000 to a company you’ve never heard of, you’ll have to shut down the small business that you’ve worked for years to build.
Patching – Interactive Binary Patching for IDA Pro: This project extends the popular IDA Pro disassembler to create a more robust interactive binary patching workflow designed for rapid iteration.
Copy Regex Matches: a Burp Suite plugin to copy regex matches from selected requests and/or responses to the clipboard.
Stratus Red team: Granular, Actionable Adversary Emulation for the Cloud.
rga – ripgrep, but also search in PDFs, E-Books, Office documents, zip, tar.gz, etc.: A line-oriented search tool that allows you to look for a regex in a multitude of file types.
eventlistener-xss-recon: There are many posts on how to use eventlistener for XSS already, but not so many on how to find them with recon and tools.
OAUTHScan: A Burp Suite Extension written in Java with the aim to provide some automatic security checks, which could be useful during penetration testing on applications implementing OAUTHv2 and OpenID standards.
EvilSelenium: A new project that weaponizes Selenium to abuse Chrome.
hardCIDR: A Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test.
akabe1/OAUTHScan: A Burp Suite extension useful when testing applications implementing OAUTHv2 and OpenID standards. It contains 10+ security checks for OAUTHv2/OpenID vulnerabilities and common misconfigurations.
A “Safety Net” for AWS Canarytokens: In an ideal world, you could use CloudTrail to monitor the use of AWS API tokens. However, some AWS APIs don’t log to CloudTrail (this is why we can’t have nice things). Thinkst Canary describes how you can use IAM credential reports as a safety net to determine when API keys have been used more recently than has been seen in CloudTrail, covering this blind spot, and they’ve recently rolled this out to free users on Canarytokens.org.
FourCoreLabs/firedrill: A malware simulation harness for evaluating your security controls, by FourCore Labs. Includes a set of four different attack simulations for you to use and build on top of: Ransomware Simulation, Discovery Simulation, a UAC Bypass and a Persistence Simulation.
dhondta/python-codext: A Python library and CLI tool that can encode/decode 120+ formats, along with a guess mode for decoding multiple layers of encoding, by Alexandre D’Hondt. Seems potentially useful for CTFs.
BeeWare: “Write your apps in Python and release them on iOS, Android, Windows, MacOS, Linux, Web, and tvOS using rich, native user interfaces. Multiple apps, one codebase, with a fully native user experience on every platform.”
Logger++ allows to you search for regex matches from your Burp history.
Logger++ allows to you search for regex matches from your Burp history, it's quite powerful but a bit unknown I think. pic.twitter.com/2bXzEWk2bR
— Antoine Roly (@aroly) February 10, 2022
Common bug bounty beginner mistakes via Harsh.
What are some of the common mistakes beginner bug bounty hunters are doing?
— Harsh Bothra (@harshbothra_) February 8, 2022
renniepak on how an out-of-scope (or low tier asset) vuln can still have in-scope impact.
A small thread on how an out-of-scope (or lower tier asset) vulnerability can still have an in-scope impact:#bugbountytips
— renniepak (@renniepak) February 7, 2022
pry0cc shares a tip for people who do pentests for apps in other languages.
Tip for people who do pentests for applications in other languages:
Use the Google app and use Google Goggles. I just used google goggles on my ipad with a stand to successfully use a fully Swedish app!
— pry0cc.eth // Ben Bidmead (@pry0cc) February 7, 2022
Linus’s bypass where newlines were not allowed.
— Linus Särud (@_zulln) February 4, 2022
Youssef on learning JS and examining code.
I made $222k+ from 6 bugs found in a 100 lines piece of JS code. Estimated earnings of $500k from web client-side bugs to date with multiple bugs found in browsers. Some people are still questioning web client-side bugs, don't follow them, learn JS and start examining code.
— Youssef Sammouda (@Samm0uda) February 2, 2022
How to limit Burp RAM usage: “In order to limit the RAM used by @Burp_Suite, simply add”-Xmx512m” or “-Xmx4G” to ~/BurpSuitePro/user.vmoptions”
In order to limit the RAM used by @Burp_Suite, simply add "-Xmx512m" or "-Xmx4G" to ~/BurpSuitePro/user.vmoptions
— Mastering Burp Suite Pro (@MasteringBurp) February 1, 2022
Julien on their latest ATO in a tenant-based app.
I recently found a nice ATO that got me a 30,000 USD #BugBounty:
App is tenant-based allowing to register the same user on different tenants.I've found an endpoint disclosing the email activation token for new user accounts on your own tenant (so no mail access required).
— Julien Ahrens (@MrTuxracer) February 1, 2022
IRS Will Stop Using ID.me Facial Recognition
The US Internal Revenue Service (IRS) will stop using face recognition technology from ID.me. The agency had begun introducing the authentication technology and had announced that users would be required to submit video selfies to the third-party company to access their online accounts. The plan to require the use of the technology was decried by privacy and civil liberties advocates, as well as by legislators.
- This is a great lesson for security practitioners how you often have to balance the interests of different stakeholders. The IRS has a difficult job. It has been the target of massive fraud, and at the same time, needs to provide efficient access to tax data and filing resources. Most users will only connect with the IRS once a year, making some of the traditional authentication methods unpractical. In addition, the filings often happen last minute. Now add a good amount of politics to a difficult technical problem. Solutions may include a government-wide identity management (login.gov does attempt to provide that. Not sure why this wasn’t here). Canada, for example, leverages financial institutions to identify individuals.
- First, it is important to point out: years of sensitive information compromises has proven that no data is private when it is accessible by a reusable password. It is critical that sensitive citizen tax-related information (already being compromised for several years because of weak authentication) be given stronger protection – privacy is impossible without it. In my comment on the IRS announcement a few weeks ago I said, “The government needs to do strong vetting and testing of the ID.me service.” That, as well as exploring other alternatives, should have been done first and data made available showing the protection provided to the authentication data.
- This is a great step in privacy and security, but it’s important to note that others in government (such as the Department of Veterans Affairs) still use the same underlying service for identity. It would be nice to see a government clearinghouse for vetting the security of privacy invasive technologies and building implementation guidelines.
- There are two challenges. First what strength of authentication is appropriate for your data. NIST 800-63-3 says you need MFA for accessing PII, which applies to the IRS. Second, what level of identity verification is necessary when issuing the authenticator. This is the problem the IRS was working to solve with the facial recognition. Services such as Login.gov are working to solve this problem, providing the appropriate level of authentication and identity assurance before issuing credentials, while allowing partnering agencies to have a single IDP for non-government users.
- The IRS is in a tough spot here. They are trying to do the right thing by stopping rampant identity fraud. In addition, I’m not sure that this should be the IRS’s problem to solve as strong validation and authentication is needed by numerous government agencies, to include SSA. It appears that this is the path the government is taking with login.gov, but perhaps the solution is not robust enough yet? Either way, this is a problem that needs to be solved, so good to see this being worked on.
- Many of the objections raised here are knee-jerk and not well considered. Unlike the password, even in the rare cases when an actual image is stored, as in the case of the facial image on a driver’s license or passport, the utility does not rely upon secrecy. The world is awash with pictures of me, in both public and private databases. We have been using facial images for authentication purposes since the invention of photography. Computers have only recently become as good at reconciling them as toddlers.
Read more in
- IRS abandons facial recognition plan after firestorm of criticism
- IRS To Ditch Biometric Requirement for Online Access
- IRS to halt use of facial recognition tech after pressure from Congress, privacy experts
- IRS stops requiring selfies after facial recognition system is widely panned
- IRS announces it will stop use of facial recognition for identity verification
Microsoft Will Block Internet Macros in Office By Default
Microsoft plans to block VBA macros from the Internet by default in certain Office apps. The decision was made because the macros were a popular vector for malware infection. The change will start in April and will affect Access, Excel, PowerPoint, Visio, and Word on Windows devices.
- This is a tremendously positive change that will roll out over time for Microsoft Office users. Change like this is not easy, and may break some functionality which a small number of users leverage in Microsoft Office. This is no small feat, and kudos to Microsoft and the team behind this change for prioritizing the security benefits this change introduces.
- This is a welcome change. VBA macros remain an attack vector which works, this change makes these macros harder to enable, no more single click activation, you will have to click “Learn More” and review the risk before an option to enable is offered. Organizations should have already enabled the “Block macros from running in Office files from the Internet” policy to prevent these macros today. Even so, you should, by default, not be enabling macros unless you really know where they are from, ideally requiring them to be digitally signed.
- This is a major win for all Microsoft Office users. The offensive community (as well as threat actors) have been leveraging macros to gain initial access for years. Kudos to everyone that has worked to highlight and resolve this issue.
Read more in
- Helping users stay safe: Blocking internet macros by default in Office
- Microsoft will block downloaded macros in Office versions going back to 2013
- Microsoft to make enabling ‘untrusted’ Office macros tougher in the name of security
- Microsoft plans to kill malware delivery via Office macros
- Microsoft to block downloaded VBA macros in Office – you may be able to run ’em anyway
FBI Flash Alert Lists LockBit 2.0 Indicators of Compromise
The FBI has published a TLP: White Flash alert that lists indicators of compromise (IoCs) for LockBit 2.0 ransomware. The alert also includes technical details about the ransomware and recommended mitigations.
- Add these IOCs to your defenses and scan for any undiscovered activity. Review the mitigations, consider using execution allow/deny lists, particularly on servers to prevent execution of unauthorized code. Doubly so on your domain controllers.
- LockBit is one of the most common ransomware variants we are seeing. This report provides procedure-level intelligence about adversary behaviors you should be able to detect and respond to. Keep in mind that ransomware is the “action on objectives” that cause the final impact. You will want to improve your ability to detect the intrusion before high privilege is already obtained to perform exfiltration and encryption.
- The measures that one needs to take to resist breaches, including ransomware, are rarely specific to the methods used in the attack. These measures are efficient because they protect us from most attacks, both those that we anticipate and those that surprise us.
Read more in
- FBI shares Lockbit ransomware technical details, defense tips
- FBI Publishes Indicators of Compromise for LockBit 2.0 Ransomware
- Indicators of Compromise Associated with LockBit 2.0 Ransomware (PDF)
Lessons Learned from Ireland’s Health Service Executive Breach
The US Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center has released a publication enumerating lessons learned from the May 2021 cyberattack that affected Ireland’s Health Service Executive. That attack caused electronic health record (EHR) downtime, appointment cancellations, and data compromise.
- Slides 9 and 10 of the hhs.gov article highlight contributing factors to the attack’s efficacy; chief among them were organizational control deficiencies. The victim lacked communications and incident response plans and had no single cybersecurity leader or oversight committee. While many of us nerdfolk like to focus on technologies, the expensive blinky boxes don’t excuse us from having trained, empowered people and proven procedures.
- The more detailed HSE board report shows the attack starting with email phishing, leading to an employee clicking on a malicious Microsoft Excel file which allowed the attackers to capture the user’s credentials, access the internal network and game over. The report also notes that the HSE had high risk gaps in “25 out of 28 of the cybersecurity controls that are most effective at detecting and preventing human operated ransomware attacks.” And that the board had been briefed on that in November 2020. It sounds like the majority of lessons to be learned are critical security hygiene at basic levels, though many other deficiencies were pointed out.
- The timeline is interesting, particularly the interval between malicious activity identification and infection. There were only four days, and the initial observation was on a DC, meaning other IOCs were likely missed. The lessons learned shows the value of being prepared, from current system and application inventories to assessments and effective leadership. Are you truly prepared? Do the incident reporting number or emails go to live people? Are your backups immutable? Are your DR/COOP plans where you can get them and up to date? Is your first anomalous activity detection point your servers? You don’t want your first alert to be the attackers owning your DC or other critical systems.
- A HUGE thank you for HSE makes this available for the public. Before people start attack HSE for their mistakes, we should recognize them for the courage to share so others can learn and benefit. The last report I know of to go to this level of detail was the 2018 Equifax breach report. Interestingly, many of the same lessons learned are shared, with the biggest being the security culture and structure at the root of the problem.
- Lessons Learned is an important step in incident response and purple team exercises. Take advantage of the lessons others have learned to apply them in your organizations; there is always something to learn.
Read more in
- Lessons Learned from the HSE Cyber Attack (PDF)
- Ireland HSE Cyberattack is a Cautionary Tale For US Healthcare Orgs
CISA Tells Federal Agencies to Fix Windows Flaw by February 18
The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal Civilian Executive Branch Agencies to patch a Windows privilege elevation vulnerability that is being actively exploited. The flaw affects all versions of Windows 10 and exploitation requires no user interaction. The vulnerability has been added to CISA’s Known exploited Vulnerabilities Catalog; agencies have until February 18 to apply updates.
- On the one hand, I really like Microsoft’s consolidated monthly rollups for applying security patches. But when Microsoft releases updates causing significant issues (like happened in January 2022), systems administrators are left choosing between the potential for being exploited by a local privilege escalation flaw or sacrificing uptime and operational availability. Microsoft would do well to enable organizations to choose the patches appropriate to their org. While this might cause some issues when administrators only apply high severity patches, the net effect is likely to be better security with CISA staying on top of these sort of notifications.
- The fix is to apply the January 2022 update right away as CVE-2022-21882, while not publicly disclosed, is being actively exploited. After the update check for systems encountering AD Domain Trust errors, where found, apply the out-of-band .NET fix referenced above.
Read more in
- CISA orders federal agencies to patch actively exploited Windows bug
- CISA Orders Federal Agencies to Fix Actively Exploited Windows Bug
- CISA Adds One Known Exploited Vulnerability to Catalog
- Win32k Elevation of Privilege Vulnerability CVE-2022-21882
Dallas School District CISO Resigned After Cyber Incident
Two months after the August 2021 cyber security incident affecting the IT systems of the Dallas (Texas) Independent School District, the district’s CISO resigned, citing concerns that “the details of the breach will become public at some point, and Dallas ISD will lose credibility.” A local news outlet recently learned that the breach was the work of two district students.
- There’s a hidden gem in this story that I’ll be using with stakeholders for some time to come. In the interview, the school district superintendent says “We put in a lot of security measures that is very inconvenient for our staff, but it’s very important because we need to protect the security of this information” – a comment that demonstrates a total lack of understanding about security. While it might seem to embrace security, it really highlights a culture antithetical to security. When we’re talking about security vs usability in patient care, rock on. In primary education? Give me a break. It’s not surprising the CISO resigned.
- The students were lucky no charges were filed; the school district was lucky this wasn’t the actions of a malicious actors seeking to perform harm. The district was provided a report about cyber weaknesses which when overlaid with the pandemic timing makes a perfect storm of missed opportunities for improvement. Ask yourself what you would do. Make sure that reports of weaknesses, either from an official engagement or otherwise filed are tracked, acknowledged, validated and remediation actions taken. Have a communication and response plan. Leverage lessons learned and share them with peers, we all get “our turn in the barrel” it’s nice to know who can help you survive.
- Given the typical level of resourcing for cybersecurity in school districts, this shocks no one. For most, absent a major shift in IT architecture/defense, incidents like this fall into the motorcycle accident category: not “if” – but “when.”
- What is interesting here is it appears the CISO is resigning not due to the breach, but due to the way the breach notification was handled. Also, it was students who caused the breach. It appears the data was never publicly shared or sold, more along the lines of ‘grey hat hacking’. Students like these are at a vulnerable time where they are developing their skills faster than their ethics. This is where programs like Cyber Start can offer students the perfect environment to not only test and develop their skills, but their career and schooling options.
Read more in
- ‘They pretty much had access to everything’: WFAA reveals the masterminds behind last year’s Dallas ISD cyber breach. And it’s not who you think.
- School District CISO Quits Over Handling of Data Breach
Google Cloud Cryptojacking Scanner
Google Cloud is introducing a security feature that will help detect cryptojacking malware. The Virtual Machine Threat Detection is being previewed in the Google Cloud Security Command Center. Google’s November 2021 Threat Horizons Report found that 86 percent of compromised Google Cloud instances were uses for cryptomining.
- Interesting approach and surprising that hasn’t already happened yet. I hope other cloud providers will follow suite. The number one “IoC” of having your cloud resources compromised tends to be a billing alert triggered by cryptomining.
- The model is interesting. The idea is to use the Hypervisor to detect anomalous behavior aka signals, to detect an infection rather than an in-memory agent. You have to opt-in to VMTD in the SCC settings. The challenge will be for Google to tune it to prevent false positives, such as tagging legitimate cryptomining as cryptojacking.
- Third-party notification of a breach continues to be a top identification method in the incident response process. Cryptominers are one of many payloads used to cause impact. This is a good step forward and other cloud providers should consider the same.