Skip to main content

2023.02.28.News You Should Know

Mobile World Congress will feature highlights of mobile networks being utilized in the Russo-Ukrainian conflict
Discussions will be held around Ukraine and Russia’s use of civilian mobile network infrastructure, the dangers of geo-location data, and the largest roaming disablement in mobile networking history.

NIST is accepting comments on the newest version of the Cyber Security Framework {PDF}
This version will seek to expand the below capabilities and provide additional guidance:

  • Improve measurement capabilities
  • Expand coverage of the supply chain
  • Increase in governance

Thanks to Brian Krebs and others, we now know that the LastPass Breach, happened because the core LastPass services were too tightly protected. This motivated threat actors to go after one of the lead developers home workstations. Namely, a Plex Media Sharing server that was unprotected. Once the Plex service was breached, via an unpatched RCE, they were able to install a keylogger on to the system to obtain the users master password, and eventually access the decryption keys for the LastPass cloud service.

US Treasury announces increasing sanctions on Russia as foreign diplomats begin messaging that China and other countries could be on the chopping block for aiding and abetting.

TypoSquatting in the Python Package Indexer (PyPI) has resulted in at least 500 malicious packages being placed in software repositories for unsuspecting devs. Packages targeted by malicious misspellings include matplotlib, pandas, selenium, websockets, beautifulsoup, and tesnorflow. A complete list of packages targeted is available from security researcher Phylum.

CISA shares the results of a red team engagement against “mature security organization” and walks away unscathed and undetected. The several page report {PDF} offers mitigations and detection opportunities, as well as actions every organization should review and implement to prevent threat actors from performing similar actions.

A major topic in this week’s News You Should Know in-person brief included concerns around the use of “wipers” in the Russo-Ukrainian conflict, and multiple security vendors detections of these softwares within western utility grids. ESET published a breakdown of all the wiper and faux-ransomware softwares seen in the wild so far and encourages companies to plan for recovery operations caused by extensive data loss.
Wipers are particularly troubling for their ability to destroy both the Master Boot Record (MBR), like a library card catalogue of files within a hard drive, then destroying the individual files themselves, akin to a book burning. Wipers seen since 2015 within the networks of eastern european and western companies have increased in virality and wormability.

For additional reading on the topics of ICS/OT security and how we got to the Russo-Ukrainian conflict today, the authors recommend “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers” by Andy Greenberg, available from Anchor Books.

Popular posts from this blog

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms. A similar CVE ( 2023-5217 ) is pending analysis for the VP8 webstream video format (a sister library to libwep.) As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications. Patch Browsers, All of them All major and minor browsers acr
Read more

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open infosec.exchange , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza
Read more

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.
Read more