ShadoSec Cyber Security Podcast

Important Microsoft patch coming soon so make sure to patch your systems soon

A short form version of the main stories of the week

Jorge and Neema do Kaseya and we talk ICloud Max Max baby!

Neema and Jorge pretend it's may. Jorge edits audio for the first time. - Ransomware trends ~ 4:30 - WhatsApp for criminals ~15:00 (because WhatsApp wasn't bad enough..) - Jorge babbles about privacy, Neema is a total trooper about it. ~ 22:10 - SITA data breach. Neema calls Xi the W word. ~ 37:45 - Android Security and the Google IO presentation ~ 43:20 - BSC! ~ 1:21:00 Topic Links https://thehackernews.com/2021/06/emerging-ransomware-targets-dozens-of.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29 https://nymag.com/intelligencer/2021/06/fbi-snooped-on-criminals-using-encrypted-messaging-app.html https://threatpost.com/supply-chain-attack-airlines-state-actor/166842/ Android stuff Links Android & RUST - https://security.googleblog.com/2021/05/integrating-rust-into-android-open.html Android Ready SE - https://security.googleblog.com/2021/03/announcing-android-ready-se-alliance.html - https://source.android.com/compatibility/9/android-9-cdd.pdf?hl=sv IOXT Alliance https://www.ioxtalliance.org/ BSC Links https://nickjanetakis.com/blog/best-practices-around-production-ready-web-apps-with-docker-compose https://github.com/dineshsonachalam/Lucid-Dynamodb https://github.com/muc-dev/linked https://github.com/ProtonMail/WebClient/issues/242 https://www.indiegogo.com/projects/paperd-ink--2#/ https://www.infoq.com/news/2021/05/grain-web-assembly-first/ https://github.com/google/zx

Jorge is away on holiday and Neema steers the cyber ship! Stories: https://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers https://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers https://www.securityweek.com/kenyan-arrested-qatar-first-targeted-phishing-attack?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+securityweek+%28SecurityWeek+RSS+Feed%29 https://techcrunch.com/2021/06/02/stack-overflow-acquired-by-prosus-for-a-reported-1-8-billion/

Jorge and Neema blasting cyber security to ashes Stories: https://japantoday.com/category/crime/people-in-japan-can-now-earn-%C2%A510-000-bounties-for-scamming-scammers https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/ https://www.pcmag.com/news/darkside-ransomware-group-loses-server-access-after-us-moves-to-disrupt https://www.flurry.com/blog/ios-14-5-opt-in-rate-att-restricted-app-tracking-transparency-worldwide-us-daily-latest-update/ https://blog.mozilla.org/security/2021/05/18/introducing-site-isolation-in-firefox/ https://blog.ethereum.org/2021/05/18/country-power-no-more/ https://blog.1password.com/welcoming-linux-to-the-1password-family/

Jorge and Neema doing their Cyber thang Stories: https://www.bleepingcomputer.com/news/security/hashicorp-is-the-latest-victim-of-codecov-supply-chain-attack/amp/ https://www.securemac.com/news/facebook-finds-new-ios-spyware-phenakite https://www.eff.org/press/releases/eff-and-aclu-ask-supreme-court-review-case-against-warrantless-searches-international https://www.unibw.de/patch/papers/usenixsecurity20-wasm.pdf https://www.cnbc.com/2021/04/30/eu-says-apples-app-store-breaches-competition-rules.html

Jorge and Neema spice things up with some Dual Core luvin! Stories: https://www.securityweek.com/us-expels-russian-diplomats-imposes-new-round-sanctions?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29 https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/1 https://techcrunch.com/2021/04/13/fbi-launches-operation-to-remotely-remove-microsoft-exchange-server-backdoors/ https://www.theregister.com/2021/04/21/signal_cellebrite/ Useful links https://www.apple.com/privacy/docs/A_Day_in_the_Life_of_Your_Data.pdf https://github.com/WICG/floc/issues/100 https://techcrunch.com/2021/04/13/fortnite-maker-epic-completes-1b-funding-round

Just when you thought we were gone ..... Jorge and Neema return with a BANG! Defenders perspective on Azure! Useful links: https://threatpost.com/cna-hit-novel-ransomware/165044/ https://adsecurity.org/?p=4277 https://dirkjanm.io/ https://www.pentestpartners.com/security-blog/azure-ad-attack-of-the-default-config/

Jorge and Neema hitchhike the open plains of cyber security! News stories https://gizmodo.com/this-mom-allegedly-created-deepfakes-to-bully-her-daugh-1846471615 https://thehackernews.com/2021/03/google-to-reveals-what-personal-data.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29 https://www.zdnet.com/article/apple-developers-targeted-by-new-malware-eggshell-backdoor/ https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a https://www.zdnet.com/article/google-cloud-here-are-the-six-best-vulnerabilities-security-researchers-found-last-year/ https://www.nytimes.com/interactive/2021/03/18/magazine/facial-recognition-clearview-ai.html Bitsized chuncks https://slack.engineering/migrating-millions-of-concurrent-websockets-to-envoy/ https://www.learnlatex.org/en/ https://www.audacityteam.org/audacity-3-0-0-released/ https://symflower.com/en/company/blog/2021/git-autofixup/ https://lwn.net/SubscriberLink/849125/c4422a7c318a5a17/

Neema ans Jorge blow up the complex world of Cyber Security! Stories: https://www.zdnet.com/article/this-malware-was-written-in-an-unusual-programming-language-to-stop-it-from-being-detected/ https://www.wired.com/story/privacy-first-browser-brave-launching-search-engine/ https://www.infosecurity-magazine.com/news/ransomware-paralyzes-spanish/ https://www.proofpoint.com/uk/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware

Jorge and Neema ride the wavelength of Cyber. Spoiler: It was too big to handle! Stories https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/ https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/ https://thehackernews.com/2021/03/why-do-companies-fail-to-stop-breaches.html https://www.macrumors.com/2021/03/04/eu-prepares-to-charge-apple-in-spotify-dispute/ https://www.gov.uk/government/news/cma-investigates-apple-over-suspected-anti-competitive-behaviour https://www.reuters.com/article/us-eu-apple-epic-games-antitrust/epic-games-takes-apple-fight-to-eu-antitrust-regulators-idUSKBN2AH0MO https://www.coindesk.com/amazon-digital-currency-mexico MS exchange bug Hunting recommendations https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log https://github.com/microsoft/CSS-Exchange/tree/main/Security NSE script to test your instance https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse Mitigations https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Jorge and Neema take a stroll through the lush medows of Cyber security! Show links: https://developer.amazon.com/en-US/docs/alexa/custom-skills/security-testing-for-an-alexa-skill.html# https://www.forbes.com/sites/tonyewing/2020/12/06/stop-using-alexa-and-google-assistant-while-working-until-you-change-these-settings/ https://www.forbes.com/sites/thomasbrewster/2021/02/25/exclusive-hackers-break-into-biochemical-systems-at-oxford-uni-lab-studying-covid-19/?sh=246ebaa42a39 https://taler.net/en/features.html https://www.sec.gov/Archives/edgar/data/1582961/000119312521055798/d898181ds1.htm https://frame.work/blog/introducing-the-framework-laptop https://securityandtechnology.org/blog/a-broad-coalition-for-decisive-action-on-ransomware/ https://www.bleepingcomputer.com/news/security/nsa-microsoft-promote-a-zero-trust-approach-to-cybersecurity/ https://alistapart.com/article/the-future-of-web-software-is-html-over-websockets/ https://arstechnica.com/information-technology/2021/02/ukraine-says-russia-hacked-its-document-portal-and-planted-malicious-files/

Stories: https://www.securityweek.com/many-solarwinds-customers-failed-secure-systems-following-hack?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29 https://www.zdnet.com/article/malvertiser-abused-webkit-zero-day-to-redirect-ios-macos-users-to-shady-sites/#ftag=RSSbaffb68 https://www.bloomberg.com/features/2021-supermicro/ https://www.zdnet.com/article/fastest-vpn-how-we-rated-the-top-services/ https://www.zdnet.com/article/more-bosses-are-using-software-to-monitor-remote-workers-not-everyone-is-happy-about-it/ Useful links: Confiant blog https://blog.confiant.com/malvertiser-scamclub-bypasses-iframe-sandboxing-with-postmessage-shenanigans-cve-2021-1801-1c998378bfba https://core.ac.uk/download/pdf/194998579.pdf SuperMicro statement https://assets.bwbx.io/documents/users/iqjWHBFdfxIU/rCS24lsHxSes/v0

Neema and Jorge sky dive into the cyber stories of the week! Stories: https://threatpost.com/fake-forcepoint-google-chrome-extension-hacks/163728/ https://thehackernews.com/2021/02/researchers-reveal-how-iran-spies-on.html https://www.securityweek.com/hack-exposes-vulnerability-cash-strapped-us-water-plants?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29 https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/ https://mashable.com/article/smartphone-health-app-data-police/?europe=true&utm_source=social&utm_medium=instagram&utm_campaign=mash-com-inst-link&utm_content=later-14423192 Useful links: https://developer.apple.com/app-store/review/guidelines/#unacceptable - Apples app store policies https://developer.chrome.com/docs/webstore/program_policies/ - Google app store https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 - Alex birsan article

Jorge rides the cyber train and Neema wings it on his hand glider! Stories: https://www.zdnet.com/article/google-kills-the-great-suspender-heres-what-you-should-do-next/ https://www.theverge.com/tldr/2021/2/5/22268646/german-police-bitcoin-digital-wallet-missing-password https://thehackernews.com/2021/02/critical-bugs-found-in-popular-realtek.html https://techxplore.com/news/2021-02-google-diet-cookies-track-users.html https://www.netscout.com/blog/asert/plex-media-ssdp-pmssdp-reflectionamplification-ddos-attack Useful link: https://tldrlegal.com - Breaks down EULAs in an easy to digest manner

Neema and Jorge ride the cyber train! Stories: https://www.bbc.com/news/technology-55826258 https://threatpost.com/rocke-groups-malware-now-has-worm-capabilities/163463/ https://www.infosecurity-magazine.com/news/us-launches-global-action-against/ https://webtransparency.cs.princeton.edu/dark-patterns/ https://www.rfc-editor.org/rfc/rfc8959.txt https://www.theatlantic.com/ideas/archive/2021/01/why-everybody-obsessed-gamestop/617857/ https://webtransparency.cs.princeton.edu/dark-patterns/ https://www.washingtonpost.com/technology/2021/01/29/apple-privacy-nutrition-label/

Neema and Jorge dive in! Stories: https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ https://www.zdnet.com/article/rogue-cctv-technician-spied-on-hundreds-of-customers-during-intimate-moments/ https://arstechnica.com/tech-policy/2021/01/this-site-posted-every-face-from-parlers-capitol-hill-insurrection-videos/ https://www.securityweek.com/sonicwall-says-internal-systems-targeted-hackers-exploiting-zero-day-flaws?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29

Neema and Jorge do what they love! Stories: https://securityaffairs.co/wordpress/113446/security/cisco-rv-routers-eol.html?utm_source=rss&utm_medium=rss&utm_campaign=cisco-rv-routers-eol https://securityaffairs.co/wordpress/113332/deep-web/dark-web-darkmarket-seized.html Defenders perspective: BEC (Business Email compromise) https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec) Defense Milestones Containment Determining the type of compromise and targets Acquiring exports of affected local inboxes Establishing the messaging timeline and techniques Compromised local accounts? Reset email password Reset SaaS solution passwords using the compromised inboxes Pull account AAA log (30 days before and after reported window) Suspicion of a compromised foreign account? Notify any other local stakeholders interacting with the account Disclose to third party through relationship manager Pull email flow log (30 days before and after reported window) Pull original headers from email security gateway if header modification is done Review the technical markers of the attack (if typosquatting) Obtain the historic information about the domain Domain whois (if possible) Domain DNS history Spam lists (if attachments) Review attachment metadata Derive technique employed to impersonate legitimate documentation (good indicator of attack sophistication) Email headers are very helpful, leaking Technology stack employed for email Journey of the email Insight into the spam scoring Look for skews in language correlating the email to a certain nationality Some nationalities are more common than others. Most nationalities make the same mistakes. Gather maximum intel from ongoing conversations with actor under approval and supervision Put in place side-channel verification (verification phone call, or otherwise double-confirmation on a channel unlikely to be compromised) for all transactions over xyz value Incorporate your DPO team, follow any triage & regulatory notification process applicable as counselled by them Establishing loss and recovery potential, factor in Insurance! Eradication Incorporate your legal and third party management teams, ensure the provisions present in the contract in case of data breaches are honored Suspicion of a compromised foreign account? Re-establish trusted inboxes on their side. Receive attestations as determined in contract Recovery & Lessons Learnt Is email being used as a duck-taping mechanism out of technical debt? FIX. IT. It will not get any cheaper Prescribe standard awareness materials to the business analysts of the relevant type, ensure coverage across your colleague-base Ensure the first-line business analysts/operators are able to easily report future attempts Gather the technical fingerprint of the attack in standard format (STIX, YARA, etc..) along with the fraud-use case. Share a redacted version with your intel partners and providers.

Neema and Jorge jump into the cyber stories of the week Stories: https://threatpost.com/google-warns-of-critical-android-remote-code-execution-bug/162756/ https://arstechnica.com/tech-policy/2021/01/whatsapp-users-must-share-their-data-with-facebook-or-stop-using-the-app/ https://wccftech.com/facebook-publishes-newspaper-ads-to-criticize-apples-ios-14-privacy-updates/ Additional Notes: BT issue fixed as implemented in open AOSP based projects: https://github.com/search?p=2&q=5d37d17af57c70d7faa459b92e5b1a758a5a8adb&type=Commits Specifics on the BT PDU that could be abused "RegisterNotification" https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=309020 LibExif CVE impacting android media framework: https://bugzilla.suse.com/show_bug.cgi?id=1055857 Makernote: https://en.wikipedia.org/wiki/Exif#MakerNote_data LibExif Bug report: https://bugzilla.suse.com/show_bug.cgi?id=1055857 AppTrackingTransparency: https://developer.apple.com/app-store/user-privacy-and-data-use/ Facebook´s advisory on iOS 14: https://www.facebook.com/business/help/331612538028890?id=428636648170202

Jorge and Neema take another journey into the world of Cyber Security! Stories: https://www.zdnet.com/article/microsoft-and-mcafee-headline-newly-formed-ransomware-task-force/ https://www.zdnet.com/article/vietnam-targeted-in-complex-supply-chain-attack/#ftag=RSSbaffb68 https://thehackernews.com/2020/12/autohotkey-based-password-stealer.html https://www.techrepublic.com/article/change-your-macos-power-settings-to-prevent-disconnecting-from-vpnwi-fi-when-the-computer-is-locked/#ftag=RSS56d97e7 Follow us on Twitter @ShadoSec

Neema and Jorge jump into the Cyber stories of the week Stories: https://www.securemac.com/blog/zero-click-imessage-exploit-used-to-hack-journalists https://threatpost.com/lazarus-covid-19-vaccine-maker-espionage/162591/ https://www.darkreading.com/edge/theedge/5-email-threat-predictions-for-2021-/b/d-id/1339786?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple https://www.nytimes.com/2020/12/21/technology/ripple-cryptocurrency-sec-lawsuit.html https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html https://www.scmagazine.com/home/editorial/the-solarwinds-hack-and-the-danger-of-arrogance/ MERRY CHRISTMAS and HAPPY NEW YEAR!

Thank you for downloading and listening. We really appreciate your support. ShadoSec is geared towards Cyber Security and having a good time with each other and listeners. Please feel free to share your feedback and ideas with us on Twitter: @ShadoSec Show Notes: Stories: Solarwinds https://www.wired.com/story/russia-solarwinds-hack-roundup/ Hackers hide card skimming code in CSS: https://www.zdnet.com/article/hackers-hide-web-skimmer-inside-a-websites-css-files/ German court order against Tutanota: https://www.cyberscoop.com/germany-court-ruling-tutanota-email-monitoring/ Useful links: PCI guidelines to secure e-commerce sites https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf Static analysis tool for javascript code: https://github.com/eth-sri/UnuglifyJS Cool Twitter guy: @AffableKraut EFF article about Tutanota https://www.eff.org/deeplinks/2020/06/senates-new-anti-encryption-bill-even-worse-earn-it-and-thats-saying-something Stay Blessed and Merry Christmas to all of you