WyzGuys Tech Talk

A quick Saturday digest of cybersecurity news articles from other sources.

From 5G to 6G: The race for innovation and disruption

See how 5G and 6G development are facing down their challenges to drive the future of tech toward innovation and industrial disruption.

The Best Web Hosting Providers of 2022

Your business needs a web host that’s stable, secure, and fast.  The right hosting provider will make your site easier to manage, and improve the experience of customers visiting you online.  While it seems like web hosts are a dime a dozen, we strongly recommend prioritizing quality over lowest cost.  More…

Mirai Variant MooBot Targeting D-Link Devices

In early August, Unit 42 researchers discovered attacks leveraging several vulnerabilities in devices made by D-Link, a company that specializes in network and connectivity products. The vulnerabilities exploited include:

• CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability
• CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability
• CVE-2022-26258: D-Link Remote Command Execution Vulnerability
• CVE-2022-28958: D-Link Remote Command Execution Vulnerability

If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks. The exploit attempts captured by Unit 42 researchers leverage the aforementioned vulnerabilities to spread MooBot, a Mirai variant, which targets exposed networking devices running Linux.  More…

How to deal with dates and times without any timezone tantrums…

Heartfelt encouragement to embrace RFC 3339 – find out why!

Impact of Samsung’s most recent data breach unknown

The lack of transparency could be cause for concern, but the data stolen is not high value.

Samsung announced on Sept. 2, 2022 its second data breach of 2022. In a statement that provided little detail about the exact nature of the breach, the company said that name, contact, demographic information, date of birth and product registration information of “certain customers” was impacted.

The rise of Linux malware: 9 tips for securing the OSS

Jack Wallen ponders the rising tide of Linux malware and offers advice on how to help mitigate the issue.

Linux is the most secure operating system on the market; for years, that has been one of the open source platform’s best selling points. However, as with anything regarding technology, it’s only a matter of time before criminals catch up. This has been the case with every operating system, software and service. At this point, to say Linux is immune to malicious software would be a fallacy.

How Is Starlink Changing Connectivity?

Elon Musk’s venture has provided internet access for forces in the Ukraine and Hoh students in Washington, and the organization has a lot more planned.  From the Smithsonian.  More...

Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t!

Simple but super-sneaky – use a picture of a browser, and convince people it’s real…

USB “Rubber Ducky” Attack Tool

[2022.08.18] The USB Rubber Ducky is getting better and better.

Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user’s login credentials or causing Chrome to send all saved passwords to an attacker’s webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms.

The newest Rubber Ducky aims to overcome these limitations. It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this… then that).

That means, for example, the new Ducky can run a test to see if it’s plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect.

Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, “Sorry, I guess that USB drive is broken,” and take it back with all their passwords saved.

FTC Sues Data Broker

[2022.08.30] This is good news:

The Federal Trade Commission (FTC) has sued Kochava, a large location data provider, for allegedly selling data that the FTC says can track people at reproductive health clinics and places of worship, according to an announcement from the agency.

“Defendant’s violations are in connection with acquiring consumers’ precise geolocation data and selling the data in a format that allows entities to track the consumers’ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at risk populations, and addiction recovery,” the lawsuit reads.

High-School Graduation Prank Hack

[2022.08.31] This is a fun story, detailing the hack a group of high school students perpetrated against an Illinois school district, hacking 500 screens across a bunch of schools.

During the process, the group broke into the school’s IT systems; repurposed software used to monitor students’ computers; discovered a new vulnerability (and reported it); wrote their own scripts; secretly tested their system at night; and managed to avoid detection in the school’s network. Many of the techniques were not sophisticated, but they were pretty much all illegal.

It has a happy ending: no one was prosecuted.

A spokesperson for the D214 school district tells WIRED they can confirm the events in Duong’s blog post happened. They say the district does not condone hacking and the “incident highlights the importance of the extensive cybersecurity learning opportunities the District offers to students.”

“The District views this incident as a penetration test, and the students involved presented the data in a professional manner,” the spokesperson says, adding that its tech team has made changes to avoid anything similar happening again in the future.

The school also invited the students to a debrief, asking them to explain what they had done. “We were kind of scared at the idea of doing the debrief because we have to join a Zoom call, potentially with personally identifiable information,” Duong says. Eventually, he decided to use his real name, while other members created anonymous accounts. During the call, Duong says, they talked through the hack and he provided more details on ways the school could secure its system.

EDITED TO ADD (9/13): Here’s Minh Duong’s Defcon slides. You can see the table of contents of their report on page 59, and the school’s response on page 60.

Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations

Original release date: September 14, 2022

CISA, Federal Bureau of Investigation (FBI), National Security Agency (NSA), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), Department of the Treasury, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC) have released a joint Cybersecurity Advisory (CSA), Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations. This advisory updates previous joint reporting from November 2021, to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies now assess are associated with the Iranian Islamic Revolutionary Guard Corps (IRGC).

The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:

• Patch all systems and prioritize remediating known exploited vulnerabilities.
• Enforce multifactor authentication (MFA).
• Secure Remote Desktop Protocol (RDP) and other risky services.
• Make offline backups of your data.

See Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations and joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities for information on these Iranian government-sponsored APT actors’ tactics and techniques, indicators of compromise, and recommended mitigations. Additionally, review StopRansomware.gov for more guidance on ransomware protection, detection, and response.

For more information on state-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage.