iTunes
Deezer
Apple Podcasts
Stitcher
SoundCloud
Episode 58: May 28 2023
Links
https://www.cybersecuritydive.com/news/summer-holiday-weekends-cyber/651434/
https://www.netwrix.com/download/documents/Netwrix_Hybrid_Security_Trends_Report_2023_Enterprise_Sector.pdf – Copy URL if you don’t trust the link…I get it
Hot Pixel Technical Paper: https://arxiv.org/abs/2305.12784
https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/
Entering the Summer Caution Seaso
- Memorial Day Weekend
- Start of the Summer Vacation Season
- pattern has emerged in recent years
- summer of 2021
- largest ransomware attacks in recent U.S. history were all launched during major holiday weekends
- Colonial Pipeline compromise began around the Mother’s Day weekend in 2021
- meatpacker JBS was hit by REvil ransomware over the Memorial Day weekend in 2021
- Kaseya, a Florida-based IT monitoring firm, was hit by a major ransomware attack at the start of the Independence Day holiday in 2021
- largest ransomware attacks in recent U.S. history were all launched during major holiday weekends
- Summer of 2022
- Second-largest school system in the country, Los Angeles Unified School District, was hit by a ransomware attack over Labor Day weekend in 2022
- increased wave of Microsoft 365 logins from a suspicious origin country and communications from a network to a dangerous IP address
- Why
- longer to understand the scope of the intrusion
- more difficult to stop
- takes longer to recover from
- employees are often away from their normal home offices or workstations and can be susceptible to social engineering or phishing attacks
- employees not as focused
- longer to understand the scope of the intrusion
- What you can do
- Dust off your incident response plans and playbooks to identify the points of triage during the holidays and when to escalate to the broader team.
- Ensure recent external and internal vulnerability assessment reports are reviewed and there are no “gaping holes” that allow easy access to your network.
- Confirm, and don’t assume, that backup systems are running as designed and that a snapshot is taken before the holiday weekend.
- Educate non-security employees about the risk of cyberattacks during holiday weekends.20
Size doesn’t matter when it comes to cyberattacks
- Netwrix Report
- Last 12 months Cyber Attacks
- 65% of organizations in the enterprise sector
- 68% of organizations in all sectors
- Last 12 months Cyber Attacks
- Attacks
- Common
- Phishing
- Ransomware
- user account compromise.
- Ransomware
- 48% Enterprises
- 21% in cloud
- 37% all sizes
- 48% Enterprises
- Bigger Fish (Enterprises)
- Enterprises are targets because they pay more.
- Just like any other business maximizes profit.
- Entrpise has more tools to catch.
- Enterprises are targets because they pay more.
- Financial
- Enterprise $50,000 estimated over SMB.
- Common
- OnPrem vs Cloud
| Security Incidents | Cloud | On-Prem |
| Phishing | 58% | 74% |
| Ransomware/Malware | 19% | 37% |
| User Account Compromise | 27% | 31% |
| Accidental Data Leakage | 20% | 24% |
| Targeted Infrastructure Attack | 30% | 19% |
| Data Theft (insider) | 14% | 18% |
| Admin Account Compromise | 12% | 17% |
| Supply Chain Compromise | 17% | 16% |
| Data Theft (Hacker) | 15% | 16% |
Hot Pixels: checks CPU temp, power changes to steal data
- Group of Researchers
- Georgia Tech
- University of Michigan
- Ruhr University Bochum
- Hot Pixels
- data-dependent computation times on modern system-on-a-chip (SoCs)
- graphics processing units (GPUs)
- extract information from visited web pages on Chrome and Safari
- even if with the latest side-channel countermeasures enabled.
- extract information from visited web pages on Chrome and Safari
- modern processors struggle to balance power consumption requirements and heat dissipation limitations.
- distinct behavior patterns that point to specific instructions and operations.
- detectable through internal sensor measurements
- accessible through software
- analyzing frequency, power, and temperature
- Passively cooled processors could leak information via power and frequency.
- Actively cooled chips leak data through temperature and power readings.
- Attack
- use an iframe element in an attacker-controlled page.
- The iframe’s contents contain sensitive info about the victim are invisible
- but can be computed by applying an SVG filter on top of it
- measuring the rendering times.
- The iframe’s contents contain sensitive info about the victim are invisible
- use an iframe element in an attacker-controlled page.
- What to do?
- The researchers disclosed their findings to Apple, Nvidia, AMD, Qualcomm, Intel, and Google, in March.
- All vendors acknowledged the issues and are working to mitigate them.
- only work well on devices that quickly reach a stable state of power usage, like smartphones, although the data leak throughput is generally small.
- vendors and stakeholders already discuss solutions to the reported problems, like restricting the use of SVG filters on iframes on the HTML standard.
- The researchers disclosed their findings to Apple, Nvidia, AMD, Qualcomm, Intel, and Google, in March.
Enhanced Legion Credential Harvester Targets SSH Servers and AWS Credentials
- Legion
- a Python-based credential harvester
- discovered last month
- some additional feature updates to target cloud services.
- updated variant targets the credentials associated with Laravel web applications and SSH Servers.
- a Python-based credential harvester
- Exploiting cloud services
- Cado Labs researchers
- the malware steals the credentials from misconfigured web servers running PHP frameworks such as Laravel.
- it scans for the environment variable files (.env) on the default paths where these files reside on the infected machine.
- updated variant includes several new paths to search for environment files, such as /lib/.env and /cron/.env.
- the malware steals the credentials from misconfigured web servers running PHP frameworks such as Laravel.
- Environment file is publicly accessible due to any misconfiguration
- malware saves the environment files.
- attempts to retrieve credentials for three specific services
- DynamoDB
- Amazon CloudWatch
- AWS Owl.
- Previous variants
- Already capable of stealing credentials from
- SMTP services
- email providers
- Payment platforms
- Databases
- Server management systems
- SMTP services
- Already capable of stealing credentials from
- Cado Labs researchers
- Attack on SSH servers
- Legion is equipped with the ability to target SSH servers.
- It uses the Paramiko library
- to parse the list of exfiltrated database credentials
- obtain available pairs of usernames and passwords.
- Credentials are then used to log in to the host via SSH.
- It uses the Paramiko library
- Legion is equipped with the ability to target SSH servers.
- Preventive measures
- Legion uses server misconfigurations as the main intrusion tactic.
- a regular audit of the digital resources exposed to the internet
- can help avoid such risks.
- Avoid using default paths and variable names
- Especially when storing the secrets in environment files.
- a regular audit of the digital resources exposed to the internet
- Legion uses server misconfigurations as the main intrusion tactic.