Exploit Checklist for Bad Actors

July 28, 2021

I found this post my MIT Research (oops, sorry, I meant MITRE Research. The information in “2021 CWE Top 25 Most Dangerous Software Weaknesses” is fascinating. It provides hot links to details in a public facing encyclopedia called Common Weakness Enumeration. The link is to additional information about the Out-of-Bounds Write” weak point. The Top 25 is a helpful reference for good actors as well as bad actors. The MITRE team provides this preface to the list:

The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses. To create the 2021 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. A formula was applied to the data to score each weakness based on prevalence and severity.

Popular weaknesses, the equivalent of a 1960s AM radio station’s “Fast Mover Tunes” are:

  • CWE-276 (Incorrect Default Permissions): from #41 to #19
  • CWE-306 (Missing Authentication for Critical Function): from #24 to #11
  • CWE-502 (Deserialization of Untrusted Data): from #21 to #13
  • CWE-862 (Missing Authorization): from #25 to #18
  • CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25

New entries are:

  • CWE-276 (Incorrect Default Permissions): from #41 to #19
  • CWE-918 (Server-Side Request Forgery (SSRF)): from #27 to #24
  • CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25

A few minutes spent with this list can be instructive. The write up includes a list of weaknesses which one might want to know about.

Net net: Who will find this list more inspirational: Marketing oriented cyber threat vendors or bad actors working under the protection of nation states hostile to US interests?

Stephen E Arnold, July 28, 2021

Cyber Security: Cyber Security Vendors May Have Missed a Scenario

July 21, 2021

I read a somewhat routine write up called “Work from Home Fueling Cyberattacks, Says Global Financial Watchdog.” The word watchdog scares me away. In the post SolarWinds’ era, where were those watchdogs? Come to think about it, “Where were the super smart, predictive threat intelligence systems?” I suppose even watchdogs have to catch some ZZZZs.

The article contained, in my opinion, a comment of exceptional perspicacity. Here it is:

“Most cyber frameworks did not envisage a scenario of near-universal remote working and the exploitation of such a situation by cyber threat actors,” the FSB said in a report to G20 ministers and central banks.

This is not napping. Nope. Missing a scenario makes it clear that cyber security vendors did not think through what would happen if their systems had to deal with off site working at scale. As a result, the systems probably are a-okay when monitoring a tire dealer’s computer system in Akron, Ohio. But in the work from home environment, the threat system was napping. I envision an ever vigilant junk yard dog with flashy icons on its spiked collar. Unfortunately the junk yard dog is chained to a rusting 1975 CJ7 and not on the prowl in the junk yard proper.

Net net: The defense mechanism keeps that old Jeep secure but the bad actors can haul off whatever auto parts of interest. There may be a couple of overlooked catalytic converters amidst the wreckage.

Stephen E Arnold, July 21, 2021

Cyber Crime and Crypto Currency: There Is a Link? Really?

July 15, 2021

I read a remarkable report from the diary of Captain Obvious. The entry was “Quick Take: How Cryptocurrency Turbocharged the Cybercrime Racket.” I was stunned to learn that paying for contraband, stolen videos, and Crime as a Service was helped out with allegedly anonymous digital payments “turbocharged the cybercrime racket.”

The write up reports:

Bitcoin and other cryptocurrencies, along with the exchanges where they can be traded anonymously, have emerged as key tools for the cyber extortionists.

The article then explains how to use cryptocurrency for cyber crime, explains why bad actors love money flows which sidestep traditional financial institutions, an estimate of the amount of money stolen using cryptocurrency, a comment about how bad actors obtained payment in the pre-bitcoin days, a comment about tracing digital currency transactions, some law enforcement successes, and what steps might address this issue.

Who knew? Maybe the more than 60 vendors engaged in cyber security, the dozens of vendors monitoring obfuscated forums, and savvy bad actors who jumped at the opportunity cryptocurrency created for mixers.

It is outstanding that the Seattle Times, home of the security giant Microsoft, has revealed this startling connection between obfuscated, instant monetary transactions designed to avoid regulatory requirements of outfits like major US banks.

Pulitzer time? Absolutely. Next the hard hitting news team will report on the sun rising each morning in Seattle.

Stephen E Arnold, July

DarkCyber for July 13, 2021, Now Available

July 13, 2021

DarkCyber is a twice-a-month video news program about the Dark Web, lesser known Internet services, and cyber crime. You can view the program at this link or use the viewer on the Beyond Search splash page. The DarkCyber for July 13, 2021, discusses the new US GAO report on facial recognition. Plus a 2019 report, with numerous FR vendors and accuracy tests, provides data not in the 2021 report. Also, in this program are stories about: [a] what cohort (age group) is most susceptible to online scams, [b] Amazon eCommerce vulnerabilities, and [c] a report about the US Navy’s autonomous mid-air refueling drone. DarkCyber is produced by Stephen E Arnold.

Kenny Toth, July 13, 2021

Tor Compromised?

July 9, 2021

I read “Tor Encryption Can Allegedly Be Accessed by the NSA, Says Security Expert.” I was stunned. I thought that the layers of encryption, the triple hop through relays, and the hope that everything worked as planned was bulletproof. And who funded Tor in the first place? What’s the status of the not-for-profit foundation today? Why were some European entities excited about cross correlating date and time stamps, IP addresses, and other bits of metadata? I don’t have answers to these questions, nor does the write up.

The article presents this information:

A security expert by the name of Robert Graham, however, has outlined his reasons for actually believing that the NSA might not even need tricks and paltry exploits in order for them to gain access to Tor, according to a blog post on Erratasec. Why? The security expert notes that this is because they might already have the keys to the kingdom. If they don’t, then they might be able to, according to arsTechnica.

Let me see if I can follow the source of this interesting assertion. TechTimes (the outfit publishing the “Tor Encryption Can” story cited above) quotes a security expert. There was a source called Erratasec. Then there was a story on ars Technica.

Now I think that Tor software and the onion method have security upsides and downsides. I also know that what humans create, other humans can figure out. I think the point of the write up is that anyone who uses Tor should embrace the current version.

Can NSA or any other intelligence entity figure out who is doing what, when, and why? My view is that deobfuscation methods are advancing. The fact that bad actors are shifting from old-school Dark Web sites to other channels speaks volumes. Bad actors have been shifting to messaging services which feature end-to-end encryption (E2EE) and do not require a particularly hard-to-complete registration process. But this shift from the “old” Dark Web to the “new” Dark Web began several years ago.  Bad actors have been aware that other secure communications options were Job One for years. My thought is that this story in interesting, just not focused on what is actually further consumerizing criminal behavior. The action has shifted, and the US may not be the leader in making sense of the new types of communications traffic.

Stephen E Arnold, July 9, 2021

DarkCyber for June 29, 2021, Now Available: Operation Trojan Shield Provides an Important Lesson

June 29, 2021

DarkCyber 13 discusses the Operation Trojan Shield sting. You can view the video at this link. The focus is on three facets of the interesting international takedowns not receiving much attention. The wrap up of the program is a lesson which should be applied to other interesting mobile device applications. If you are wondering how useful access to app data and its metadata are, you may find this 11 minute video thought provoking. DarkCyber is a production of Stephen E Arnold, a semi-retired consultant who dodges thumbtypers, marketers, and jargon lovers. Remember: No ads and no sponsors. (No, we don’t understand either but he pays our modest team like clockwork.)

Kenny Toth, June 29, 2021

Another Friday, More Microsoft Security Misstep Disclosures

June 28, 2021

I think Microsoft believes no one works on Friday. I learned in “Microsoft Warns of Continued Attacks by the Nobelium Hacking Group” that SolarWinds is the gift that keeps on giving. Microsoft appears to have mentioned that another group allegedly working for Mr. Putin has been exploiting Microsoft software and systems. Will a “new” Windows 11 and registering via a Microsoft email cure this slight issue? Sure it will, but I am anticipating Microsoft marketing jabber.

The write up states:

The Microsoft Threat Intelligence Center said it’s been tracking recent activity from Nobelium, a Russia-based hacking group best known for the SolarWinds cyber attack of December 2020, and that the group managed to use information gleaned from a Microsoft worker’s device in attacks. Microsoft said it “detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers” and that “the actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.” The affected customers were notified of the breach.

The applause sign is illuminated.

I spotted this remarkable statement in the write up as well:

It’s possible that successful attacks went unnoticed, but for now it seems Nobelium’s efforts have been ineffective.

Wait, please. There is more. Navigate to “Microsoft Admits to Signing Rootkit Malware in Supply-Chain Fiasco.” This smoothly executed maneuver from the Windows 11 crowd prompted the write up to state:

Microsoft has now confirmed signing a malicious driver being distributed within gaming environments.

This driver, called “Netfilter,” is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs.

The write up concludes:

This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates.

Amazing. The reason cyber crime is in gold rush mode is due to Microsoft in my opinion. The high tech wizards in Redmond can do rounded corners. Security? Good question.

Stephen E Arnold, June 28, 2021

Google: So Darned Useful to Good and Bad Actors

June 25, 2021

Never underestimate hackers’ adaptability and opportunism. E Hacking News reports, “Threat Actors Use Google Drives and Docs to Host Novel Phishing Attacks.” For the first time, security firm Avanan has found, attackers are able to bypass link scanners and other security protections and use Google’s standard document tools to deliver malicious, credential-stealing links. Previously, bad actors have had to lure their victims to a legitimate website in order to exploit its security flaws. Now they can do so right from users’ inboxes. The article cites a recent report from Trend Micro as well as the research from Avanan:

“According to researchers, once the hacker publishes the lure, ‘Google provides a link with embed tags that are meant to be used on forums to render custom content. The attacker does not need the iframe tags and only needs to copy the part with the Google Docs link. This link will now render the full HTML file as intended by the attacker and it will also contain the redirect hyperlink to the actual malicious website.’ The hackers then use the phishing lure to get the victim to ‘Click here to download the document.’ Once the victim clicks, the page redirects to the actual malicious phishing website through a web page designed to mimic the Google Login portal. Friedrich said Avanan researchers also spotted this same attack method used to spoof a DocuSign phishing email. In this case, the ‘View Document’ button was a published Google Docs link that actually was a fake DocuSign login page that would transmit the entered password to an attacker-controlled server via a ‘Log in’ button.”

Stolen login credentials are the most effective way to infiltrate any organization, and with a little social engineering hackers can attract many of them with this approach. It is a good reminder that educated users who do not fall for phishing schemes provide the best protection against such attackers. Alternatively, just download some interesting apps from the Google Play Store.

Cynthia Murrell, June 25, 2021

DarkCyber for June 15, 2021, Now Available

June 15, 2021

DarkCyber is a video news program issued every two weeks. The June 15, 2021, show includes five stories:

  • Pentest tools you can download and use today for free
  • A free report that explains Britain’s cyber weaknesses
  • Additional information about the E2EE revolution
  • Another tip for finding flexible developers and programmers who will do exactly what you want done
  • The FireScout, a drone with a 100 mile range and the ability to drop sonobuoys and other devices, perform surveillance, and remain aloft for up to 10 hours.

The DarkCyber video news program contains information presented in Stephen E Arnold’s lectures to law enforcement and intelligence professionals. His most recent lecture was the New Dark Web. He presented his most recent research findings to a group of more than 100 cyber fraud investigators working in Connecticut for a variety of LE and related organizations. The

The June 15, 2021, DarkCyber video program is available from Mr. Arnold’s blog splash page and can be viewed on YouTube. One important note: The video program does not contain advertisements or sponsored content. We know that’s unusual today, but the DarkCyber team prefers to operate without an invisible hand on the controls or an invisible foot on the team’s neck.

Kenny Toth, June 15, 2021

Chronic Cyber Insecurity

June 11, 2021

NPR has shared the transcript of an All Things Considered interview with former NSA general counsel Glenn Gerstell in, “USAID Hack: Former NSA Official Calls U.S. Cyber Insecurity a ‘Chronic Disease.’” The exchange is not reassuring. Host Michel Martin begins with the recent news of another breach, announced by Microsoft late last month. Once again the perpetrators appear to be Russian operatives, probably the same ones that were behind the SolarWinds attack. Not that Putin will admit as much when he is confronted, as he will likely be, by President Biden at their upcoming meeting in Geneva. We note this exchange:

“MARTIN: Why do you think these attacks keep happening despite the sanctions that the Biden administration has already imposed, you know, on Russia? And do you think the government’s doing enough to protect itself against these threats and also us, the public?

“GERSTELL: Well, your question is really the key one. And I think the lesson we learn from this is that this in some ways, our cyber insecurity in this regard, is a chronic disease for which we don’t have a single cure. It’s not an illness for which there’s a particular drug that we could take to get rid of it. So unfortunately, however, we’re at the beginning end of this chronic condition. This is going to get worse before it gets better. It will ultimately get better. But in the meantime, we have sophisticated attackers, nation states and criminals who can co-opt legitimate servers and companies and computers and softwares. And this proves, unfortunately, that our current scheme of deterrents simply isn’t working.”

What will work is the multi-billion dollar question. Martin wonders whether there are any plans to regulate crypto currency. Gerstell allows that is a step that might be taken, but it would do little to disrupt either spying or the sowing of chaos generated by these types of attacks. It could, however, curtail the sort of ransomware attack that recently shut down a pipeline on the East Coast and had some fools pumping gasoline into plastic bags and other unwise receptacles. That would be something, we suppose.

Cynthia Murrell, June 11, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta