News
Personal note
Thank you for the kind "welcome back" messages, they were really heartwarming. It feels good to be back, and I hope you all enjoy each issue!
Breaches and leaks
- Definitely the lowpoint in infosec news this week: because of a ransomware infection in a hospital a critical patient needed to be diverted elsewhere, and they died because they didn't receive help in time. A strong reminder that for some in our line of work it's not about saving data, but about saving lives: link.
- The Department of VA had an online app breached. The attackers diverted healthcare payments of 46.000 Veterans. Personal data might also be stolen: link.
- Ransomware infections were reported at IPG Photonics, a laser manufacturer: link, and a Californian school district: link.
- Mailfire, a marketing company, had an unsecured Elasticsearch instance with 320 million records related to dating sites: link.
- Staples had a bug in their order tracking system that meant you could get detailed customer data on every order: link.
- Close to 2000 Magento webshops were infected with card skimmers in a single weekend: link.
Zerologon: trivial exploit to get full control of a Windows Domain Controller
Granted, an attacker needs to have some kind of small foothold in the network first. But once they do, this is the one latteral move to rule them all. It doesn't happen often that a second-stage exploit gets a 10/10 CVSS score. There is exploit code in the wild, so patching is a must, and the US gov has even made that an order.
BLESA: Bluetooth security flaw
Another week, another Bluetooth vulnerability. This one has to do with the reconnection process between two devices. If I understand correctly, the Bluetooth spec doesn't describe clearly enough how reconnection authentication needs to be handled. As a result some implementations are vulnerable to authentication bypasses.
New iOS 14 and iPadOS 14 security and privacy features
There's some good stuff there. Clear indication of microphone and camera being used, a notification when something accesses the clipboard, share general location instead of precise location, see when an app requests local network access and randomised MAC addresses to stop Wifi tracking.
US charges foreign hackers
There's quite a few charges being put up lately, and they are often an interesting read:
- US brings charges against a number of Iranian nationals for hacking aerospace and satellite companies. One charged individual is said to lead a double life between white-hat researcher and OWASP member on one side, and black-hat working for Iranian intelligence on the other: link.
- US brings charges to several Chinese nationals as part of the APT41 state-sponsored hacking group. They seem to be responsible for the CCleaner and ShadowPad hacks, and worked through a legit looking cybersecurity firm as a front: link.
Maze ransomware now encrypts via virtual machines to evade detection
Not the first time this technique is used, but very interesting to highlight. To try and bypass security measures the ransomware runs inside a virtual machine that mounts the hosts's disks as shares.
MITRE introduces library for adversary emulation plans
This is pretty cool. MITRE, known from the ATT&CK framework that maps out common steps that attackers take, are starting a library where they'll document how certain hacker groups run their attacks. This way you can put your defenses to the test and see if you'd be able to detect them. The linked article is their announcement, but if you just want to skip to what such a plan looks like, I got ya: link.
Related, although from a higher level, here's a fascinating write-up of how the FIN7 cybercrime group operates: link.
IRS offers $625,000 bounty if you can break Monero privacy
Quite an unorthodox approach for an IRS. They really must have a lot of trouble with people hiding and transfering assets through Monero currency.
Krebs article on investment scams
I hadn't heard of this one yet, and it's a good "con" to be aware off. Potential investors approach your company with a lot of interest and goodwill, but expect you to bear the cost of the due dilligence. Once those have been paid to the legal firm they "prefer to work with", they bail out.
UK government releases toolkit to easily disclose vulnerabilities
It's really just a document, but a good one at that. It describes how one could tackle vulnerability disclosure. It even provides a response plan for XSS and subdomain takeovers, because those were the most reported issues for them. You can go to the document directly here.
When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number
This is hands down the greatest write-up I have ever read, I was in tears from laughing halfway through. It's a very long read though, so make sure to set some time aside.