Press "Enter" to skip to content

Security On The Bayou

Wednesday, May 22nd, 2019

PoC Exploit For Unpatched Windows 10 Zero-Day Flaw Published Online

https://github.com/SandboxEscaper/polarbearrepo

Learn to Hack Non-Competes & Sell 0-Days at Black Hat USA

Consumer IoT Devices Are Compromising Enterprise Networks

Transcripts:

Hello folks it is Wednesday May 22nd twenty nineteen and this security on the bayou. security news and why it matters to you. Happy hump day. It’s almost Friday that three day weekend is calling my name I can hear it now.

All right we’ve got a couple three articles today two from Dark Reading one from the hacker news from the Hacker News dot.com. If this is something you don’t follow Hacker News You should title the article PSC exploit for unpacked Windows 10 zero day flaw. Published online. This one was fun I enjoyed it and an anonymous hacker named sandbox escapes or released a posse of new zero day vulnerability affecting Windows 10. This is his slash her fifth publicly disclosed windows zero day exploit. In less than a year. That’s impressive. Five windows explains pieces. This newest one takes advantage of the task scheduler in Windows essentially based on some permissions for some DL ls they’re able to write a new task to the task scheduler to execute with system level permissions. Obviously this is bad so you do have to have physical not physically but you have to have access to the machine. So at some point you already have to have owned this machine or have physical access but this is something that it looks like probably could be used for persistence fairly easily. It’s a this is fairly significant task scheduler or something I use all the time on Windows Server. It looks like its effects Windows 10. Where was that list 10 32 bit 64 bit along with Server 2016 and 2019. So if your enterprise is up to date you’re most likely using all of these things. If you’re somehow behind this works out for you which which is rare. I mean there’s a lot of other things that don’t work out for you if you’re that far behind. So this person also claims to have four additional zero day bugs in Windows. So three of which lead to local privilege escalation and a fourth one lets attackers back bipod excuse me lets attackers bypass sandbox security. So if you’re not familiar with San boxing essentially applications are allowed to run in their own little sandbox just like when you’re a little kid and their parents would hover around you and you say no don’t come out of the sandbox. So that is what a sandbox is for applications like Google Chrome is sandbox. It’s a lot of things their sandbox is a great technology so anything that can circumvent sandbox thing is a pretty damn big deal because it’s used very very widely. This is a this is a fun one. This is kind of stuff I get giddy over I’ll also post the link to the get hub of this person. I was digging around in the get hub and I found something sort of interesting so there is a nother repo in here that is only two hours old and it is called Angry polar bear bug too so I haven’t had a chance to dig in or read all of it yet but it seems to me there might be a can I. I perused it really quickly. It seems to me that this might be an additional zero day so I’ll dig into that some more but interesting they may have released to within the span of Lucy less than 24 hours. The one this one we’re talking about now was released 19 hours ago. So big day there. Interesting especially since everything that’s going on with the windows update patches and all the Eevee. I mean this is you know is sort of the perfect storm here. All right let’s move on. I’ve already spent enough time on that so we’ll we’ll move these next to pretty quick next from Dark Reading dot com by the Black Hat event staff. I’m not a huge black hat guy. It’s it’s fun it’s enjoyable. I’m probably not going this sharply going to def comment not black. But here’s the article title of the article. Learn to hack non competes and sell 0 days at Black Hat USA. So essentially black out is there pushing all the ones have sound really really interesting which good for them they should be. This is what the this is their job. Also the first one is titled selling 0 days to governments and offensive security companies. Hey we just talked about zero days. I don’t know what that. I don’t know what the value of that window’s zero day. This guy dropped it but my guess is that it’s worth a lot of money probably more than a lot of people make in a year. So next how to hack your non compete. Ah excuse me hacking your non compete. Yeah. Non compete sock right. So anyway you can get around those. You know I think there’s a certain level of people that pay should not have non competes actually read an article the other day at 1 in 7 people that make less than forty thousand dollars a year have a non compete which is ridiculous if you ask me. And that’s not just information security that’s nationwide. In the United States the next one making big things better the Dead Cow way. So if you attended Def Con last year the CDC got up and you know they had a whole board and it was a lot of fun it was a really good time. It’s fun to ask these guys some questions some you know the original sort of hacker group a lot of it inspired a lot of people over the years so it looks like they’re making a comeback of it at Black Hat. I bet you’d probably be a little bit more organized this time. Not that it wasn’t last time but once again that should be that should be a fun one. What’s this in the current oh so as you may know Betto O’Rourke the presidential candidate was part of the cult of the Dead Cow back in the day so I’m sure that will come up now because that wasn’t public information last year next. Also from Dark Reading by Erica Chico Tchaikovsky Erica. Welcome back to the podcast. Consumer I.T. devices are compromising enterprise networks. Yeah no kidding. Yep. All joking aside yes they are. They’re everywhere everywhere you look there’s IO T devices right. And you know try not to get too focused on the on the term IO T right Internet of Things is something that is small not well not necessarily something that is plugged into your network that has a specific purpose that has an internet connection that’s been around for years. Right we’ve just branded it IO T. But here’s what they found. Researchers from Z killer Z scalar and threat labs. Ninety one and a half percent of IO T transactions are conducted over plain text bad no good bad. Stop it. Next 18 percent of IO T devices running that use SSL exclusively communicate. This is terribly sentence terribly written 18 percent of devices use SSL within an enterprise environment. That is also bad. That should be way higher. Those numbers should be flipped that should be the end goal here. Let’s flip those numbers and we’re in good shape. If you want some more details on this study she starts to break it down a little bit more. Forty nine percent of enterprises do not regularly scan for IO T devices bad once again only 8 percent say have the capability to do so. That’s somewhat understandable I get that this is still new. How are you scanning for it. That’s an interesting question. I’ll do some research on myself because I don’t know that I have the answer for that although I would think a lot of your vulnerability scanners would be able to pick a lot of that up anyway. So there’s some good information in here about this report. I recommend you go over there and read it. All right. What a day. No easy news today sort of disappointing Baltimore. No no update on Baltimore either. We’ll get there. We’ll find something something new will come out on that. Anyways it’s Wednesday May 22nd twenty nineteen and this has been security on the bayou. Thank you for joining me. And we will talk again tomorrow. Everybody have a wonderful week.

Tuesday, May 21st, 2019

Linux variant of Winnti malware spotted in wild

Windows 10’s May patches are borking McAfee and Sophos software

Ransomware Cyberattacks Knock Baltimore’s City Services Offline

Transcript:

May 21st Raw.mp3

 It’s Tuesday May 21st 2019 and this is security on the bayou. Today security news and why it matters to you. So today’s can be fun day. We’ve got a couple of really good ones too. Two they’re going to sort of follow ups one that’s pretty technical but this I’m pretty excited about today it is Tuesday.

All right first one from a SC magazine dot com written by Robert Abell Linux variant of win NTI malware spotted in wild. So normally I wouldn’t bring up something so technical but the reason I do here is because of who found it. This was found by Google’s chronicle security team which we’ve heard a lot about they had a big sort of deal at RSA about their new sim that they’re building you know in its Google anything Google touches tends to turn to gold security touch anything security people touch turn to gold. This is just a match made in heaven having Google and security so this is one of the first truly technical things I think I’ve seen from them. I found out today they have a blog. Of course they is why when they have a blog. But this is specific to that win A.I. malware malware has been a popular tool used by Beijing hackers over the last decade or so. Last used on a German pharmaceutical company in April of 2019. So essentially this this malware which most malware is written for Windows or Mac is typically the two you see attack the most more and more over the past four or five years we’ve seen them sort of take these tools if used in the past and start to adapt them for Linux start looking around the world. Linux is run everywhere in the U.S. Azure it’s all based on Linux right. So if you can compromise the big bad servers you have more power to do things so Chronicle has found how many versions of it where to go. I want to say there was five different versions that they found of the of when A.I. ported to Linux.

So next let’s move on. We’re moving to the Inquirer dot net. This is a update from what we talked about yesterday. So if you remember we’ve been having all this stuff with evey every vendor. So yesterday we discovered that Sophos was telling users to roll back their Windows patches because it was causing boot up issues with machines that were running Sophos. Well today gets even better from the inquired dot net windows tens may patches are balking. That’s a great great use of boarding McAfee and Sophos software. This is by Chris Merriam Mary Merryman at Chris the D.J. on Twitter. He’s got a pretty cool profile picture on here. Go click this link and read this and look at that picture. It’s worth it. So not only is Sophos having issues with the May security patch updates from Microsoft but apparently McAfee is and a vast in a virus in aka bit. So I mean most people are via and archive but I’ve never heard of. Well they’re out there they do Avey. You see a lot of virus total but it’s probably not widely used but a vast for sure. McAfee and so far she kidney that they’re all over the place. So this is an interesting. This is not near as bad as Sophos McAfee is having issues with their hips and their virus scan enterprise slowness on startup or may become unresponsive at restart after installing the update. McAfee doesn’t say anything about when they’re going to fix it just like cell phones I’m sure it’s a we’ll fix it soon we’ll get there. Right. Elise McAfee is not saying to uninstall patches right. I said this I want to caution people this could very quickly turn in to a blame Microsoft game. I don’t I don’t necessarily see it that way. So just remember that my remarks that Microsoft Windows is the underlying operating system here. So that’s the most important part right. You can get another Avey. You can’t typically get another operating system there’s only so many options so if you have McAfee or Sophos or vast or virus or Arca bed or or even we start looking at Symantec from the previous weeks or trend there’s other ones out there I highly recommend Malware bytes go grab them if you’d like try other ones there free ones out there although I don’t always recommend using free Avey for obvious reasons but in a subscription is fairly cheap in the long run it’s going to save you a lot of money in time and frustration over the years.

All right next let’s move on to another update. So this one was written by NPR not a typical source for us. The title is ransomware cyberattacks not Baltimore city services offline by Emily Sullivan. So this is we know this right. So first I saw the article was like well why are they sending you to know why are they writing this article on May 21st when this has been going on for two weeks. I didn’t know the title didn’t exactly allude to any new information. Well here we go. I found the new information today this morning the hackers have demanded 13 bitcoins. About one hundred grand. So they went from 72 grand or whatever it was from 16 all the way up to 100k and they still haven’t paid it. The FBI and Secret Service are on this. And at this point you just gotta pay the damn ransom move on right. So you’re going to the there are two or three options here. Here there’s three. Three ways this thing could go one. You had to wipe all your systems and you lose your data too. You pay the ransom they don’t give you the key yet to wipe all your systems and lose your data. Three you pay the ransom. They give you the key you unlock and you get all your data back. So I know two of those involve paying the ransom you tell me. So in here’s where my really form that opinion from. Let me go find this. This quote. Essentially what they said is that all the cryptic cryptographers in the world and the country the smartest MFA is out there have all said that this is an unbreakable algorithm. There is nothing technologically available that can break this algorithm which says to me that you just got to pay the ransom. If the FBI the Secret Service I’m sure everybody’s involved in this on the government side in all these really smart mathematicians and cryptographers are saying this can’t be broken. It’s time you just got to scream uncle and pay the ransom and move on. So it’s been an interesting day. Tuesday what a day to updates Baltimore a city of Baltimore I feel bad. That’s tough. I mean they’re having issues with medical staff processing home loans processing you know title transfers medical records. It’s just essentially everything that you would ever file with the city is just been it’s been encrypted. And then I’m sure the people it sucks right they’re going to pay it’s going to come out of their pocket at the end of the day. But at some point somebody is going to tell you the hard truth of things. You’ve got to pay it and hope it works out for the best. All right folks it is Tuesday May 21st 2019 and the security on the bayou. Thank you for listening. Hope everybody has a wonderful day. It’s almost hump day. We will talk again tomorrow.