Microsoft rushes fix for PetitPotam attack PoC
Microsoft was quick to respond with a fix to an attack dubbed “PetitPotam” that could force remote Windows systems to reveal password hashes that could then be easily cracked. To thwart an attack, Microsoft recommends system administrators stop using the now deprecated Windows NT LAN Manager (NTLM). “To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing,” wrote Microsoft.
Apple releases urgent zero day bug patch for Mac, iPhone and iPad devices
The update is for a flaw that Apple said may have already been actively exploited, making it the thirteenth such vulnerability it has patched since the start of this year. Arriving less than a week after the release of iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5 to the public, the patch fixes a memory corruption issue in the IOMobileFrameBuffer component that could be abused to execute arbitrary code with kernel privileges. The timing of the update raises questions about whether the zero-day had any role in compromising iPhones using NSO Group’s Pegasus software, which has become the focus of a series of investigative reports on mobile phone based spyware tools.
Google launches new Bug Hunters vulnerability rewards platform
Google has announced a new platform and community designed to host all its Vulnerability Rewards Programs (VRP) under the same roof. Since launching its first VRP more than ten years ago, the company has rewarded 2,022 security researchers from 84 different countries worldwide for reporting over 11,000 bugs. In all, Google says that the researchers have been rewarded $29,357,516 since January 2010. This new site brings Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues. It has also launched a new Bug Hunter University, which would allow bug hunters to brush up on their skills or start a hunting learning streak.
Student walks off with $50,000 after finding gaping hole in Shopify software repos
Computer science student Augusto Zanellato received the reward following his discovery of a publicly available access token which gave the world read-and-write access to the Shopify’s source code repositories. Zanellato uncovered the vulnerability while investigating a third-party Electron-based macOS application created by a Shopify developer. “I can’t share the name,” Zanellato told The Register, “but I can say it’s a desktop client for a popular video conferencing platform which doesn’t provide an official one.” The Canadian e-commerce giant took the issue seriously. It company revoked the access token within 24 hours and granted the vulnerability a CVSS severity score of 10 – the highest possible.
Thanks to our episode sponsor,
Varonis
Microsoft Teams now automatically blocks phishing attempts
Safe Links is a feature in Defender for Office that provides URL scanning and “time-of-click verification” of URLs and links in email messages, groups, and other locations. Safe Links can help protect enterprise organizations from malicious links sent by threat actors behind phishing attempts and other attacks. The newly Safe Links protection is now generally available to all Teams users, and it works for links in conversations, group chats, and Teams channels. However since there is no Safe Links policy enabled by default, admins will have to create one or more policies to get the protection of Safe Links in Microsoft Teams.
US has new cyber security rules for pipelines
The federal government has launched new regulations requiring owners of critical pipelines that transport hazardous liquids and natural gas to implement “urgently needed protections against cyber intrusions.” This was the second time since May that the Department of Homeland Security (DHS) issued a cyber security directive aimed at US pipeline operators. It comes in the wake of the Colonial Pipeline hack that disrupted fuel supplies across the southeastern US for days. The security directive requires critical pipelines to take defensive measures to protect themselves from ransomware attacks and other known threats to IT systems. Pipeline owners must also have a cyber security contingency and recovery plan in place.
APT group hits IIS web servers with deserialization flaws and memory-resident malware
A sophisticated, potentially government-sponsored threat actor has been compromising major public and private organizations over the past year by exploiting deserialization flaws in public-facing ASP.NET applications to deploy fileless malware. Dubbed Praying Mantis, or TG1021, by researchers from incident response firm Sygnia, the hacker group puts a strong focus on detection evasion by using a volatile and custom malware toolset built specifically for Internet Information Services (IIS) web servers to perform credential harvesting, reconnaissance and lateral movement. Detecting Praying Mantis’ activities is not easy because of the volatile nature of its memory-resident malware and the group’s attention to operational security. A detailed description of this threat is available at CSOOnline.com.
Hacker hacks DEFCon
A security specialists and blogger by the name of Reznok wrote last week about how he was able to dump a list of the names, e-mail addresses, and tickets of anyone who had bought a ticket online the DEFCON 29 conference, which hosts a large amount of people who value their anonymity. The hack was made possible through the confirmation page that displayed Reznok’s purchased event ticket, along with his first name, Brandon and his ticket barcode. The URL of the page was entirely unprotected, and modifying a single digit allowed him access to other attendee’s confirmation pages. This access control vulnerability is known as known as IDOR (Insecure Direct Object Reference). Reznok brought this to the attention of the event’s guest manager, where it was quickly fixed.
(Reznok)