Episode 17 MP3 | Youtube | Twitch.TV | Twitter | FacebookiTunesStitcher


Story Title: Mirai Botnet activity detected in Germany
Synopsis/Talking points:
Exploiting SOAP requests sent via the TR-069 protocol used to control DSL modems remotely.
Exploit sends an update to reconfigure the modem’s NTP servers. Apparently the backtick characters ““” which are shell specials used to execute the command in backticks are not escaped, resulting in RCE, and thousands of compromised routers
This is a command injection vulnerability. Also theres a metasploit module for it already.
If you have port 7547 open on your ISP modem/router, you may possibly be at risk.
References:
https://isc.sans.edu/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759
https://www.exploit-db.com/exploits/40740/

Story Title: Tor got pwned again
Synopsis/Talking points: Vulnerability in Mozilla Firefox discovered ITW being used to compromise TOR users
According to a user on ycombinator’s hacker news, the exploit is being delivered to visitors of the TOR CP site “giftbox”
The exploit reportedly “got loaded on the confirmation page after logging in”
Some are stating the exploit payload is roughly similar to that of the FBI’s payload when they were attacking TOR users in 2013
“The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in webpages served by a service known as Freedom Hosting.”
I have a humungous hate-boner for TOR, but respect the fact that there are a lot of political dissidents in regimes around the world that RELY on it to be secure.
In that same breath, fuck child predators who use TOR. I hope the FBI nails them.
To that effect, utilize noscript, and/or umatrix to block JS by default and only enable it when necessary.
Really, if you’re using TOR, you shouldn’t have javascript enabled in the first place, but it is what it is.
References: http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
https://news.ycombinator.com/item?id=13066825

Story Title: #Creditcardchallenge
Synopsis/Talking points:
SERIOUSLY!?!?!
Credit card challenge was a hashtag observed on twitter. People are posting credit card numbers, expiration dates and CVV2 codes on social media. Some are just trolling, and some are legitimately that stupid.
This is nothing terribly new, people have been observed dropping pictures of credit cards, passports, licenses, etc on social media. A lot of OSINT and Social Engineers have found this information and have even said “You should probably remove this” with varying degrees of success.
References:
https://hashtagnow.co/hashtag/creditcardchallenge
Story Title: SFMTA Light Rail Ransomware attack
Synopsis/Talking points:
San Francisco Municipal Transportation Agency (SFMTA)
Passengers get to ride free due to the attack
Ransomware infected the MBR
Attack likely exploited low hanging fruit
Might’ve exploited Weblogic vulnerability
Specifically seems to target the Primavera Project Portfolio Management Software
Has used this to target other victims
For a few extra BTC, hacker will help you close the flaw s/he exploited
Hacker seems to utilize open source tools and do his own target sourcing
Attribution puts the hacker in Iran, but using a Russian mobile number.
Hacking karma seems to have circled back around
Hacker’s inbox was gotten via guessing security recovery questions
SFMTA seems to be restoring from backups rather than paying the ransom
Hacker is now threatening to release 30GB of data if they aren’t paid
Lessons learned:
Don’t have lowdangling fruit
Have Backups
Test Backups
Segment your network
Its almost like I wrote a lot of shit about doing these things months ago.
References:
http://www.csoonline.com/article/3144991/security/ransomware-forces-sfmta-to-give-free-rides-73-000-demanded-by-attackers.html
http://www.csoonline.com/article/3145425/security/sf-muni-hacker-lashes-out-threatens-to-release-30gbs-of-compromised-data.html

San Francisco Rail System Hacker Hacked


Ransomware defense related:
http://blog.talosintel.com/2016/04/ransomware.html
https://www.hurricanelabs.com/blog/ransomware-network-hardening-tips-1
https://www.hurricanelabs.com/blog/ransomware-network-hardening-tips-2
https://www.hurricanelabs.com/blog/ransomware-network-hardening-tips-3

ProTip of the Week:
Details: Accurately Model and Emulate Your Adversaries
Research the adversary or adversaries are for the targeted organization
Research the adversary’s capabilities to more accurately emulate them
Research the adversary’s infrastructure to try to match it as closely as possible
References:
http://www.sixdub.net/?p=762
http://www.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf