InfoSec News – July 12, 2024

I am switching to a weekly newsletter format for these posts. I spend a lot of time during the week scanning newsfeeds to find interesting and relevant information as part of my day job. I am already sharing these with my team, so why not share them with the wider infosec community?

My hope is to product at least one of these post weekly, then share it with the great community. It could be via social media or an email newsletter, or both. My goal is to drop the post and have the rest happen automatically. But for now, I’ll be happy with just a weekly post every Friday.

I hope you find this valuable! – Chris

Patelco CU Breach

Patelco CU Reported Data Breach in 2023, Affected 181,000 Members – Patelco suffered another data breach in late 2023 due to the MOVEit vulnerabilities. The Clop ransomware gang was appearantly able to gather sensative date on all 181,507 members. Members have files a class-action lawsuit related to this incident. It is unclear if this eventually lead to the June 2024 ransomware attack, but I suspect the forensic investigation will find that link.

Patelco CU Reports ‘Serious Security Incident’ – A large California credit union was crippled by ransonware over the last few weeks.

Pressure Mounts on Patelco, So Do the Class Action Lawsuits – Patelco now has several class-action lawsuits against it due to this ransomware attack.

Patelco’s Network Stabilized 8 Days After Ransomware Attack – The credit union has been able to start processing transactions again, but they still have a long way to go before they are back online for their members.

Vulnerabilities

CVE-2024-38021: Moniker RCE Vulnerability Uncovered in Microsoft Outlook – Remote code exec bug patched this week by Microsoft.

Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112) – Check Point Research – 0-day RCE on all versions of Windows leveraging URL shortcut files. This has been actively exploited for the last 18 months. Roll this patch as soon as possible, but you should also be treating URL files like executables, LNKs, shortcuts, etc. Strip them from emails and prevent users from downloading them.

New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere | Ars Technica – TL;DR this is a RADIUS MitM attack made possible by non-standard MD5, but only if you are not using TLS/DTLS. Best mitigation is to switch to TLS/DTLS transport. I believe the purported impacts of this are overblown. An attacker needs to be inside the network to catch these under typical corporate implementations. And how many RADIUS over the internet implementations are not using TLS? My guess is not many.

RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 – TL;DR – Cisco isn’t sure what products are affected yet, but watch this for more updates.

Critical Ghostscript flaw exploited in the wild. Patch it now! – Threat actors are actively exploiting a Ghostscript vulnerability to escape the sandbox for remote code execution.

Breaches & Attacks

Troy Hunt: Telegram Combolists and 361M Email Addresses – Another huge dump of usernames and passwords hit the web. Some of this data is old/reused, but some of it appears to be relatively new. Time to rotate passwords??

Microsoft Orders China Staff to Switch From Android Phones to iPhones for Work – Bloomberg – Might be petty, but this made me chuckle. Please, employees, use our biggest competitor’s product!

SysInformation Healthcare Services, LLC Provides Notice of a Data Security Event – SysInformation Healthcare Services (TX, USA) suffered a major data breach a year ago, only recently disclosed. Attackers got name, date of birth, health insurance information, medical history, and treatment information. They recommended credit monitoring. And their victims recommended compensation: SysInformation Healthcare Services Data Breach Lawsuit | ClassAction.org

AT&T Says Phone Records Of ‘Nearly All’ Customers Breached – AT&T falls victim to the Snowflake breach.

Neiman Marcus data breach: 31 million email addresses found exposed – Troy Hunt found >31mil customer email addresses on the dark web. Another Snowflake related breach.

Security

ANOM – Darknet Diaries – Another great episode discussing the ANOM crime-phones and how the FBI was actually running the show.

Visual guide to SSH tunneling and port forwarding | ITTavern.com – SSH tunneling is always a good trick to keep in your toolbox.

Cyber Scarecrow – This is an interesting concept that has been leveraged with certain malware to prevent install. It’s almost like a vaccination for your PC. I have two concerns: How will they prevent malware from detecting the software rendering it ineffective? How will they prevent false positives by security software? Hopefully more to come from this project.

GitHub – Lissy93/web-check: 🕵️‍♂️ All-in-one OSINT tool for analysing any website – All-in-one OSINT tool for analysing any website.

Cloudflare 1.1.1.1 incident on June 27, 2024 – A Brazilian ISP attempted to blackhole 1.1.1.1, which was then published to the greater internet causing an outage for Cloudflare’s public DNS service. It’s not clear if this was intentional or an accident. My personal opinion: BGP security needs to become a priority across the globe. One rogue change shouldn’t take down a major internet service.

RockYou2024: 10 billion passwords leaked in the largest compilation of all time | Cybernews – Someone has gathered up all of the breached password dumps over the last several years to create another mega-list, but it appears the file is mostly garbage compared to RockYou2021. This Reddit thread talks more about better sources for password lists: https://www.reddit.com/r/hacking/comments/1dxb25f/whet_to_download_rockyou2024/

Overlooked Domain Name Resiliency Issues: Registrar Communications – SANS Internet Storm Center – Another weak point in the internet: registrars. Someone reported a major ISP domain for phishing, causing the registrar to stop resolving the domain. The registrar did not provide any workable resolution process which could be accessed by clients.

How do cryptocurrency drainer phishing scams work? – Great background on crypto-draining attacks and how to avoid them.

Wide World of Cyber: State directed cybercrime – Risky Business – I’ve enjoyed the thoughtful discussions on these episodes. Worth the listen.

Technology

LeonStraathof/pfsense-speedtest-widget – I recently switched to a pfSense router after missing the advanced features not found in my Eeros, but pfSense doesn’t have a built-in speedtest. This dashboard plugin fixed that. No more worrying if the results are skewed due to other hardware!

DNS Deep Diving with Serena DiPenti – YouTube – The first 10 minutes or so gives you a high level understanding of how DNS works. The rest describes common DNS attacks and how pentesters try to exploit DNS.

Interesting News

Secret meeting between Apple and TSMC reported; 2nm capacity – Courtesy Unsupervised Learning – Has Apple locked down all the 2nm chips? Does this give it market superiority? It certainly allows more power in a smaller space.

A Vast, Untapped Source of Lithium Has Just Been Found in The US : ScienceAlert – Courtesy Unsupervised Learning – It looks like the US may be closer to on-shoring our Lithium needs by extraction from fracking water.

US sues Adobe for ‘deceiving’ subscriptions that are too hard to cancel – The Verge – It’s not enough to milk your users for continued shareholder payouts, but you want to force them into a perpetual contract?

Apple is winning in financial services – Looks like Apple could be opening Apple Pay to additional “buy now, pay later” partners.

Supreme Court ruling on Chevron doctrine may upend future cybersecurity regulation | Cybersecurity Dive

HP discontinues online-only LaserJet printers in response to backlash — Instant Ink subscription gets the boot, too | Tom’s Hardware – HP is giving up on their “instant ink” printers, but they won’t unlock those printers from the service.

Thread by @lcasdev on Thread Reader App – Thread Reader App – Google has given their own API’s preference to detailed performance telemetry regardless of user choice, but not other vendors. This impacts all Chromium based browsers. This is a clear violator anti-trust laws.

The last few months

It doesn’t take long for me to forget how long it’s been since I did one of these posts! Here’s a quick update.

What I’ve been doing

Coding: I’ve actually been coding after almost 15 years! We needed to rewrite a custom URL handler to automatically open a member account based on incoming phone number. I’m surprised how fast I picked up VB.Net as I stopped developing just as .NET came on the scene. I forgot how fun it can be! I was able to repurpose a custom screen-pop application for our call center to work with a new contact center solution. My next trick is building powershell routines to keep the user and contact lists updated as the app doesn’t support SCIM user creation.

Cord cutting My wife recently left her positon, so we’ve been trying to downsize our discretionary expenses. Entertainment is a bit part of that expense, so I’ve taken the leap and dropped internet TV in favor of using an HDHomeRun box with the Plex Live TV services. I still need to experiment with how to best record TV shows, but the live TV works well enough. Bandwidth is the biggest issue with antenna placement the next. I’m still experimenting with these. I’ve also jumped on a few deals for older DVD’s and BlueRays to build up a legal movie collection. I’m still working on a solution for sports.

pfSense I’ve come into a few extra hand-me-down PCs, so I’m going to try again to setup a pfSense firewall. My main concerns right now is not getting the full throughput on my fiber connectivity, so I need to run some tests first. More on this as I experiment more.

Writing

Patch Tuesday updates for all! – Unstable Path – It’s patch week…like every other week.

Reading & Listening

Technology

CIO who dropped VMware 18 months ago now very pleased • The Register – Yet another story about how Broadcom is shooting itself in the foot and driving vmWare into the ground.

Security

LastPass Employee Targeted With Deepfake Calls – SecurityWeek – “In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp,” LastPass says.

Special Edition: Chris Krebs, Alex Stamos and Patrick Gray – Risky Business – Excellent discussion on supply chain sovereignty! I highly recommend infosec nerds take a listen to a new spin on an old issue.

How it Works – Knocknoc – Interesting tech that I heard about on Risky.biz. Allows you to open ports and access services behind SSO that don’t typically support it.

iOS 17.5 bug undeleted sensitive photos—even on devices you no longer own – The Mac Security Blog – Oops Apple! One of the better descriptions of this issue. And another reminder to think twice before you click that pic.

Windows 11 to Deprecate NTLM, Add AI-Powered App Controls and Security Defenses – MS is putting some needed fixes into Windows 11 security.

Financial

U.S. Economy FAQ: Rising Insurance Prices, Stuck Inflation, and More – The Ringer – This discussion of what’s driving inflation rates contains a great explanation on how inflation is tied to the national debt.

Powershell

Invoke-WebRequest or Invoke-RestMethod? – Truesec – Simple answer – Invoke-WebRequest gives you the complete unfiltered results, where Invoke-RestMethod returns just the results in a custom PSObject.

How to use Invoke RestMethod in PowerShell — LazyAdmin – Great summary on how to use the Invoke-RestMethod in Powershell, including new features in Powershell v7.

Science

Britain says it is developing a radio-wave weapon that can take out a swarm of drones for just $0.12 a shot – This would be far more effective than trying to shoot down a drone.

Quantum networks are closer to reality – The Verge – Amazon is dabbling in quantum networking? I’m not sure what this gets us that current fiber technology doesn’t. My vision for quantum networking is instant communication across any distance, similar to Three Body Problem sophons or Eve Online’s fluid routers.

Ancient viral DNA in the human genome linked to major psychiatric disorders – Could viral DNA explain why humans develop these mental illnesses which appear to go against evolution?

Blogging

How and why to make a /now page on your site | Derek Sivers – If you have a blog, create a /now page and let folks know what you are up to!

sites with a /now page – A collection of /now pages.

Tools

ThomasKur/M365Documentation: Automatic Microsoft 365 Documentation to simplify the life of admins and consultants. – This project is a life saver for documenting your Intune configurations.

jordanbaird/Ice: Powerful menu bar manager for macOS – Awesome little tool to collapse your Mac menu bar icons to only display what you actually need until you need them.

Patch Tuesday updates for all!

Server racks on fire

Updates for March/April

Leadership: My employer decided to honor me with my first official leadership spotlight post! I was also blessed with the opportunity to participate in a fraud and cybersecurity panel during a recent CCUL Upstate Chapter Meeting.

Intune: I’ve been working on my out-of-the-box experience for iPads and MacBooks. I have been fairly successful in with my iPads using specific device configuration profiles, but these aren’t working so well on Macs. Software deployment for Macs is also sub-par, so I’ve been falling back to my current solutions.

Broken Shortcuts: Apple shortcuts has a bug which strips links from the Make Rich Text From tasks (More Info: Adding Rich Text to Note no longer works in iOS 17 : r/shortcuts). This broke my ability to draft my compilation posts in Apple Notes I’m bypassing this by writing directly to a Markdown file in my Shortcuts iCloud folder. My hope is this should work from both Mac and iOS as it has in the past.

Home Automation: I have been using Scrypted to link my cameras into Homebridge, but I am not able to get my smart motion notifications to work. Nor am I able to get my doorbell audio working bidirectionally. Scrypted is great otherwise and I would recommend it for anyone with compatible cameras. I’ll experiment with using Homebridge’s FFMPG plugins again.

Please stop trying to monetize me while I read! I don’t like Medium and other blogger platforms – they seem to be built for profit and drive you to subscribe either to the author’s newsletter or the service by limitingthe number of free views per month. I feel like this is going to backfire in the long run.

Reading

Career

The Curse of the Senior Software Engineer – Dmitry Kudryavtsev – This post resonated with me. I faced the same issue once my wife and I decided to move when my stepson graduated high school. (Can I speak more about this?)

Gen-Z is shunning college to take up traditional trades like welding and plumbing they say is far more satisfying and which doesn’t incur huge student debt | Daily Mail Online – My advice to my kids has been exactly this: find a trade, take the 2 year degree, then figure out life from there. I loved what my MS in Cybersecurity taught me, but it wasn’t worth the money I’m paying on it.

Industry News and Trends

After 114 days of change, Broadcom CEO acknowledges VMware-related “unease” | Ars Technica – I’ve been reading more Reddit posts and industry forums discussing huge increases in license renewals and poor support. This is mirroring how Broadcom destroyed Symantec during their acquisition. Folks are looking for alternatives like Nutanix, Proxmox, Azure/AWS, etc. What I don’t hear folks talking about is going to Hyper-V.

Microsoft is confident Windows on Arm could finally beat Apple – Microsoft could very well be faster than Apple’s M3, but the UI has a long way to be as clean and functional as macOS.

Introducing Google’s new Arm-based CPU | Google Cloud Blog – Google is rolling out their own custom silicon to support their own cloud and AI initiatives.

Mac Tips

Disk Utility now has full features for managing snapshots – The Eclectic Light Company – I discovered this neat feature only after reformatting my full backup drive.

Police warn of thieves using wifi-jamming tech to disarm cameras, alarms | KTLA – I feel like this is old news considering how many security cameras are wireless. Running CAT5 isn’t that hard or expensive, and it’s well worth the extra expense.

Health

A diet high in ultra-processed food is linked to a greater risk of many diseases : Shots – Health News : NPR – I’m not surprised by the findings here. The food industry has moved to faster, cheaper ingredients at the expense of consumers health.

From the strange files

Mysterious Drones Swarmed Langley AFB For Weeks | The War Zone – What’s happening here?

Remapping iTerm arrow keys

I’ve struggled to navigate the command line since switching to iTerm2, but Marius’s post about remapping the arrow and delete keys fixed that issue.

Go to Profiles > Keys > Key Mapping to add/alter the mappings listed below:

ShortcutCommandActionSend
⌥ ←Jump to start of wordSend Escape Sequenceb
⌥ →Jump to end of wordSend Escape Sequencef
⌘ ←Jump to start of lineSend Hex Code0x01
⌘ →Jump to end of lineSend Hex Code0x05
⌥ ⌫Delete to start of wordSend Hex Code0x17
⌘ ⌫Delete entire lineSend Hex Code0x15

Windows Server 2025 Announced

Microsoft announced Windows Server 2025 along with some great features! Can we say hotpatching??

Server maintenance gets faster and easier, for a price: Windows Server 2022 can upgrade directly from Windows Update. Microsoft also introduced Hotpatching for all versions of Windows 2025, but this requires Azure Arc to be enabled and have an active subscription.

Active Directory gets some love: A new functional level introduces scalability enhancements such as larger pages and support for over 64 cores. There are also several security improvements to the LDAP and Kerberos and the ability to prioritize replication.

NTLM is on the way out: Windows will now support local Kerberos authentication and provide a Local KDC feature.

Several storage enhancements: Improvements for NVMe, Storage Replica performance enhancements, and ReFS native Dedup and Compression.

Hyper-V gets better GPU support: You can now partition GPU resources, or assign GPUs to an HA pool. Hyper-V is also getting dynamic processor compatibility, allowing you to have multiple processor generations within the same cluster.

File Servers Improvements: Microsoft is rolling out SMB over QUIC for secure access to corporate file shares without a VPN.

These are just the highlights that I picked up after watching the last Ignite session: Introducing Windows Server 2025!

How a tiny Pacific Island became the global capital of cybercrime | MIT Technology Review

Despite having a population of just 1,400, until recently, Tokelau’s .tk domain had more users than any other country. Here’s why.
— Read on www.technologyreview.com/2023/11/02/1082798/tiny-pacific-island-global-capital-cybercrime/

(From How .tk Became a TLD for Scammers – Schneier on Security
— Read on www.schneier.com/blog/archives/2023/11/how-tk-became-a-tld-for-scammers.html)

Meross Smart Wi-fi Garage Door Opener

I’ve been having trouble controlling my garage door using the MyQ integration in Homebridge. The MyQ plugin would randomly stop working until I restarted the Homebridge server. Then it stopped working after the most recent plugin update. I tried several fixes from Reddit that didn’t work, so I gave up and started using the MyQ app again. The MyQ API calls used by these plugins are proprietary, and it looks like MyQ doesn’t want any 3rd parties utilizing it. So no more telling Siri to close my garage door until I fix it.

I stumbled across the Meross Smart Wi-Fi Garage Door Opener (MSG100HK) in one of those Reddit posts while trying to fix my old setup. I’ve been happy with the other Meross HomeKit devices I’ve purchased. Meross integrates nicely with Apple Home, and they have a good price point. This device is no different – it lists for a bit less than the MyQ devices do.

The Meross opener operates differently from the MyQ setup. Everything is wired to your door opener, so there are no batteries to replace. There is also no programming a new remote with your door opener, making almost any garage door opener compatible with Meross’ opener. Installation took about 30 minutes including taking down the MyQ. Adding to Apple Home took about 30 seconds and did not require the Meross app.

My experience with the Meross opener is better than MyQ. The opener responds nearly instantly to open/close commands. There is also no warning beep or flashing light when you trigger a door close. It works just like the button on your wall! I recommend the Meross Smart Wi-Fi Garage Door Opener (MSG100HK) over a MyQ device.