CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 58: May 28 2023

Links – Copy URL if you don’t trust the link…I get it

Hot Pixel Technical Paper:

Entering the Summer Caution Seaso

  • Memorial Day Weekend
  • Start of the Summer Vacation Season
  • pattern has emerged in recent years
  • summer of 2021
    • largest ransomware attacks in recent U.S. history were all launched during major holiday weekends
      • Colonial Pipeline compromise began around the Mother’s Day weekend in 2021
      • meatpacker JBS was hit by REvil ransomware over the Memorial Day weekend in 2021
      • Kaseya, a Florida-based IT monitoring firm, was hit by a major ransomware attack at the start of the Independence Day holiday in 2021
  • Summer of 2022
    • Second-largest school system in the country, Los Angeles Unified School District, was hit by a ransomware attack over Labor Day weekend in 2022
    • increased wave of Microsoft 365 logins from a suspicious origin country and communications from a network to a dangerous IP address
  • Why
    • longer to understand the scope of the intrusion
      • more difficult to stop
      • takes longer to recover from
    • employees are often away from their normal home offices or workstations and can be susceptible to social engineering or phishing attacks
      • employees not as focused
  • What you can do
    • Dust off your incident response plans and playbooks to identify the points of triage during the holidays and when to escalate to the broader team.
    • Ensure recent external and internal vulnerability assessment reports are reviewed and there are no “gaping holes” that allow easy access to your network.
    • Confirm, and don’t assume, that backup systems are running as designed and that a snapshot is taken before the holiday weekend.
    • Educate non-security employees about the risk of cyberattacks during holiday weekends.20

Size doesn’t matter when it comes to cyberattacks

  • Netwrix Report
    • Last 12 months Cyber Attacks
      • 65% of organizations in the enterprise sector
      • 68% of organizations in all sectors
  • Attacks
    • Common
      • Phishing
      • Ransomware
      • user account compromise.
    • Ransomware
      • 48% Enterprises
        • 21% in cloud
      • 37% all sizes
    • Bigger Fish (Enterprises)
      • Enterprises are targets because they pay more.
        • Just like any other business maximizes profit.
      • Entrpise has more tools to catch.
    • Financial
      • Enterprise $50,000 estimated over SMB.
  • OnPrem vs Cloud
Security IncidentsCloudOn-Prem
User Account Compromise27%31%
Accidental Data Leakage20%24%
Targeted Infrastructure Attack30%19%
Data Theft (insider)14%18%
Admin Account Compromise12%17%
Supply Chain Compromise17%16%
Data Theft (Hacker)15%16%

Hot Pixels: checks CPU temp, power changes to steal data

  • Group of Researchers
    • Georgia Tech
    • University of Michigan
    • Ruhr University Bochum
  • Hot Pixels
    • data-dependent computation times on modern system-on-a-chip (SoCs)
    • graphics processing units (GPUs)
      • extract information from visited web pages on Chrome and Safari
        • even if with the latest side-channel countermeasures enabled.
    • modern processors struggle to balance power consumption requirements and heat dissipation limitations.
      • distinct behavior patterns that point to specific instructions and operations.
      • detectable through internal sensor measurements
        • accessible through software
    • analyzing frequency, power, and temperature
      • Passively cooled processors could leak information via power and frequency.
      • Actively cooled chips leak data through temperature and power readings.
  • Attack
    • use an iframe element in an attacker-controlled page.
      • The iframe’s contents contain sensitive info about the victim are invisible
        • but can be computed by applying an SVG filter on top of it
        • measuring the rendering times.
  • What to do?
    • The researchers disclosed their findings to Apple, Nvidia, AMD, Qualcomm, Intel, and Google, in March.
      • All vendors acknowledged the issues and are working to mitigate them.
    • only work well on devices that quickly reach a stable state of power usage, like smartphones, although the data leak throughput is generally small.
    • vendors and stakeholders already discuss solutions to the reported problems, like restricting the use of SVG filters on iframes on the HTML standard.

Enhanced Legion Credential Harvester Targets SSH Servers and AWS Credentials

  • Legion
    • a Python-based credential harvester
      • discovered last month
    • some additional feature updates to target cloud services.
      • updated variant targets the credentials associated with Laravel web applications and SSH Servers.
  • Exploiting cloud services
    • Cado Labs researchers
      • the malware steals the credentials from misconfigured web servers running PHP frameworks such as Laravel. 
        • it scans for the environment variable files (.env) on the default paths where these files reside on the infected machine.
        • updated variant includes several new paths to search for environment files, such as /lib/.env and /cron/.env.
    • Environment file is publicly accessible due to any misconfiguration
      • malware saves the environment files.
    • attempts to retrieve credentials for three specific services
      • DynamoDB
      • Amazon CloudWatch
      • AWS Owl.
    • Previous variants
      • Already capable of stealing credentials from
        • SMTP services
          • email providers
        • Payment platforms
        • Databases
        • Server management systems
  • Attack on SSH servers
    • Legion is equipped with the ability to target SSH servers.
      • It uses the Paramiko library
        • to parse the list of exfiltrated database credentials
        • obtain available pairs of usernames and passwords.
      • Credentials are then used to log in to the host via SSH.
  • Preventive measures
    • Legion uses server misconfigurations as the main intrusion tactic.
      • a regular audit of the digital resources exposed to the internet
        •  can help avoid such risks.
      • Avoid using default paths and variable names
        • Especially when storing the secrets in environment files.