🔓 [CyberFacts Weekly - Issue 0x00] First Out

AlphaBay’s founder is back / Donation sites abuse for card testing / Apple Tracking Transparency lets trackers track / AI can introduce vulnerabilities in code / Valid PEs that evade integrity checks / Severe bug in MS Exchange Autodiscover / High-res satellite imagery as a service / BulletProofLink PAAS operation / How UAE spy program recruited an NSA hacker

Sep 24, 2021

Hello 👋

And welcome to the first issue of the CyberFacts Weekly 🥳

I’ve started to systematically keep an archive of my readings since early 2021. There are already many good cyber-security newsletters (e.g., tl;dr sec), so by no means I’m trying to compete with them.

CyberFacts Weekly is intended mostly for myself, to have a place to archive and keep public notes of what I read and deem as noteworthy.

If you like it, consider subscribing or forwarding this email to peers and friends. If newsletters aren’t really your thing, maybe you’d prefer to follow the @CyberFactsIT Twitter account, which I use to publish the real-time feed of my selected readings (also available via RSS).

This Week’s Top Picks

#darkweb | The founder of the AlphaBay dark web marketplace is back

by Andy Greenberg for WIRED

Interviewed by Andy Greenberg, DeSnake—founder of AlphaBay, the biggest dark web marketplace—explains how he walked away from the takedown four years ago. Greenberg verified DeSnake’s identity by signing a public message with his original PGP key, which multiple security researchers verified.

#cybercrime | Cybercriminals abuse donation sites for (stolen) credit card testing

by Gemini Advisory (Recorded Future)

According to a research by Recorded Future’s Gemini Advisory, cybercriminals are abusing nonprofit donation websites to test whether a card has been already flagged as “stolen” or it’s still good for conducting illicit financial transactions.

#privacy | Apple’s Tracking Transparency lets tracker track

by Johnny Lin of Lockdown Privacy

In a report also featured by the Washington Post, ex-Apple engineers and founders of Lockdown Privacy proved that the Apple Tracking Transparency (ATT), which is supposed to let end users’ control which apps can contact 3rd-party trackers, made no difference in the number of active trackers used by popular apps.

#AI | Security implications of AI-assisted pair programming

by Hammond Pearce et al. at NYU

A research work systematically analyzed the conditions that can cause GitHub Copilot to include insecure code, while assisting programmers that use popular tools such as VisualStudio Code. The research used MITRE’s Top 25 most dangerous software weaknesses as a reference.

Thought: In 2017, my co-authors and I showed in a research paper that humans tend to blindly copy-paste (insecure) code found in online tutorial, contributing the overall propagation of vulnerabilities in popular open-source repositories. It would be nice to see how GPT-3-based AIs like GitHub Copilot compares against humans at not getting rid of vulnerabilities when replicating or refactoring code while porting it across projects.

#malware | Breaking certificate parsing to cook valid PE files that evade detection

by Google’s Threat Analysis Group

Google’s TAG spotted a new evasion technique used to create valid PE files that pass the integrity checks while using a bogus cryptographic certificate. This allows attackers to cover their “identity” (i.e., the certificate used to sign the PE) without affecting the integrity of the signature.

#vulns | Severe bug in Autodiscover protocol used by Microsoft Exchange

by Guardicore

A protocol used by Microsoft Exchange for automatic client configuration was found by Guardicore to have a design flaw that lets an attacker leak web requests to domains outside of the user’s domain, but in the same TLD.

if an attacker can control such domains or has the ability to “sniff” traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire.

#intelligence | Thanks to a PlanetLab subscription, Bellingcat can now access satellite imagery

by Bellingcat

(Lawful) intelligence operations can now leverage up to 50cm resolution imagery of anywhere on Earth, with a business day response time. It’s only a few days ago that I discovered the amazing what3words service, that let us map 3x3 square meters blocks into a fictitious space made of word triplets, and I thought “WOW, 3 meters is a very high resolution!” for geo-location. 😱

#phishing | BulletProofLink Phishing-as-a-service (PAAS) operation: unveiled and analyzed

by Microsoft 365 Defender Threat Intelligence Team

One of Microsoft’s threat-intel research teams has analyzed a big phishing campaign that generated a whopping 300,000 new, unique subdomains. This led the team to unveil a large-scale phishing-as-a-service operation called BulletProofLink, specialized in selling phishing kits, templates, hosting, and basically the ecosystem needed to run phishing campaigns.

#espionage | Former NSA employer describes being recruited in UAE’s spy program

by Kim Zetter

David Evenden was hired in 2014 to work in Abu Dhabi on a defensive cybersecurity project, only to discover it was actually an offensive spy operation for a United Arab Emirates intelligence service.

Also Noteworthy

#vulns | Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program

by Denis Tokarev

A security researcher shares their frustration when dealing with Apple’s bug bounty program, after having reported four 0-day vulnerabilities in 2021 between March 10th and May 4th (three are still present in iOS 15.0 and one was fixed in 14.7).

Thought: Running a successful bug bounty program is program takes more than creating a security@ email alias or upload a security.txt file. It takes workforce, expertise, and resources. Even the most resourceful organizations can mishandle security resources, confirming that it’s all but an easy process, where multiple interests and opposing tensions can conflict.

More on 0-days “In the Wild” in 2021, by Patrick Howell O’Neill for MIT Technology Review, based on data provided by Google’s Project Zero.

#vulns | MSHTML attack targets Russian state rocket centre and interior ministry

by Malwarebytes Labs

Malwarebytes has reason to believe that the MSHTML vulnerability listed under CVE-2021-40444 is being used to target Russian entities. The Malwarebytes Intelligence team has intercepted email attachments that are specifically targeting Russian organizations.

#ransomware | Ransomware detections dropped by almost half, but victims are now bigger

by TechRepublic

[…] ransomware numbers decreased by almost half in H1 2021 compared to H1 2020 [but this] indicates changing tactics. [Indeed] attackers are moving from the opportunistic and quantity-focused model to more targeted modern ransomware methods and big-game hunting.

Original report (by Trend Micro Research): Attacks From All Angles: 2021 Midyear Cybersecurity Report

#cloud | Scanning activity to find endpoints vulnerable to VMware CVE-2021-22005

by Sergiu Gatlan for Bleeping Computer

While no public exploit exists yet, a few hours after the patch for CVE-2021-22005 was released, honeypots have spotted probing activity:

CVE-2021-22005 allows arbitrary file upload vulnerability that could lead to remote code execution.

#iot | Zero-click remote code execution (RCE) vulnerability in Hikvision IP cameras (CVE-2021-36260)

The majority of the recent camera product ranges of Hikvision cameras are susceptible to a critical remote unauthenticated code execution vulnerability even with latest firmware (as of 21 June 2021). […] This permits an attacker to gain full control of device with an unrestricted root shell.

#remotework | Seventy-Four Percent of Organizations Attribute Damaging Cyberattacks to Vulnerabilities in Technology Put in Place During the Pandemic, According to Global Industry Study

by Tenable

[in a] study of more than 1,300 security leaders, business executives and remote employees conducted by Forrester Consulting on behalf of Tenable […] 74% of organizations attribute recent business-impacting cyberattacks to vulnerabilities in technology put in place during the pandemic

#enterprises | FireEye Announces Plans to Relaunch as Mandiant

via MarketScreener

Original document (by SEC.gov): https://www.sec.gov/Archives/edgar/data/1370880/0001370880-21-000035-index.html

#APT | Turla deploys new malware to keep a secret backdoor on victim machines

by Cisco Talos

a new backdoor used by the Russian Turla APT group […] [with] infections in the U.S., Germany and, more recently, in Afghanistan […] likely used as a stealth second-chance backdoor to keep access to infected devices.

The backdoor code is quite simple but is efficient enough that it will usually fly under the radar. [So,] it is not easy for anti-malware systems to detect it as malware.

This malware contacts the C2 every five seconds. A good defense system would detect this anomaly in the network traffic and raise an alarm, showing a great example of how important it is to incorporate network behavior-based detection into your security approach.

#evoting | 19 DDos attacks carried out against Russia’s remote electronic voting system

via TASS

Nineteen DDoS attacks were registered against Russia’s remote electronic voting system, but all of them were repelled. […] The most massive attack […] [which] lasted 5 hours and 32 minutes.

The attacks originated from different countries, including India, Brazil, Vietnam, Lithuania, the United States, Germany, Russia, Thailand, Bangladesh, China and many others.

#fraud | Italian mafia members arrested for conducting SIM swapping, phishing, CEO fraud

by Catalin Cimpanu

A joint law enforcement operation between Europol, Italian, and Spanish police has resulted in the arrests of 106 members of the Italian mafia on crimes related to cybercrime and money laundering.

Original press release (by Europol).

CyberFacts Weekly is a digest of my hand-picked readings from the cyber-security world.

CyberFacts Weekly is intended mostly for myself, to have a place to archive and keep public notes of what I read and deem as noteworthy.

If you like it, consider subscribing or forwarding this email to peers and friends. If newsletters aren’t really your thing, maybe you’d prefer to follow the @CyberFactsIT Twitter account, which I use to publish the real-time feed of my selected readings (also available via RSS).

Hope you enjoyed this issue…and see you reading the next one! 🙃

Thanks! Cheers, Fede