The Security Digest: #68

by Daniel Tobin on July 6, 2021

Ransomware attacks were bad, but they hadn’t been the biggest yet! Windows becomes more like Linux as printing has been disabled. K8s is used by everyone including bears. More trouble for MyBook devices. A Twitter clone for Trump supporters immediately had thousands of pentesters and finally the GAO says federal agencies should rein in facial technology. Plus the earliest known species of owl and solution for subdomain takeovers in AWS.

Oh boy, Revil says it has ransomwared over 1 million devices by hitting IT managed service provider (MSP) Kaseya… At this point, the numbers are supposedly over 1000 companies and the group is asking for $70 million in payment via Verge. So, how did they get in? Well, turns out that this was known to Kaseya and they were in coordinated disclosure and in the process of rolling out patches via BleepingComputer. Cryptically one of the researchers, Victor Gevers, mentioned slightly more that I’ll leave up to the readers interpretation.
Meanwhile, if you might be affected by ransomware, CISA has released the Ransomware Readiness Assessment (RRA) so you can perform your own self audit via BleepingComputer
This week’s news was supposed to be about PrintNightmare which now has unofficial patches while Microsoft tries to unspool this vulnerability via BleepingComputer. This is the second set of vulnerabilities discovered in Microsoft’s PrintSpooler and was accidentally released after the announcement of the first. The exploit was supposed to be debuted at BlackHat early next month but was accidentally released early via The Verge.
Kubernetes aka K8s is all the rage today for everyone including Russia’s GRU unit aka Fancy Bear etc, as the NSA warns they have been using it to run password spraying attacks and more. Turns out they forgot to use an anonymization service for a time being exposing the K8s clusters IPs directly via BleepingComputer.
After mentioning one 0-day that was responsible for threat actors wiping Western Digital MyBook devices in TSD-67, KrebsOnSecurity is reporting that there is another coming. This bug affects current devices that are not updated to the latest version, so if you have one, make sure it’s updated.
Security is hard, especially for Trump’s former spokesman’s Twitter clone GETTR which had passwords exposed, sequential IDs for easy scraping and more. Motherboard details the fiasco of the app that was quickly dissected after going online.
Finally, Motherboard reports on the findings that 6 federal agencies used facial recognition technology on Black Lives Matters protests in 2020. The report from the GAO calls out specifically in the title “Federal law enforcement agencies should better assess privacy and other risks.”

Owl fun and facts:

Ogygoptynx wetmorei by avancna on Deviant Art

“Owls are classified as ‘Strigiformes’ and have been found in the fossil record dating back to the time just after it is believed non-avian dinosaurs (like T-rex and Triceratops) went extinct, around 66-million years ago. Ogygoptynx, the oldest owl fossil on record, was believed to have lived in present-day Colorado about 61-million years ago.” via WorldAtlas

A Shout Out:

Paul Schwarzenberger from OVO energy has just released Domain Protect which utilizes Cloudwatch, Lambda and SNS to automatically scan for subdomain takeover issues and proactively protect yourself from them. This is an amazing use of security as code to continuously scan and protect your environment. Subdomain takeovers are such a common thing as everything is elastic and there are almost always intermittent failures in tear downs. Download Domain Protect on Github and read their blog post on the OVO tech blog.

About:

TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.

Check back here every Tuesday for more TSD or sign up below to stay in the loop!