KazukiLabs NewsLetter Vol. 3 Num. 26
The Voices from the Dark Side
Hi again, it’s soundly Monday again and thus time for a new newsletter!
A large chunk of technologies which you can find in my home start getting on with the years since i never liked to replace something which still work just fine(like my still going strong 15yo 47” LCD) as i just view it as a waste of finances getting something new when not needed, which also include phones and computers.
however, in the recent years i have noticed that a lot of the things i want to, do such as running multiple VM's for bigger labs while doing heavy multitasking and running tasks that require a lot of resources, do require a more or less full system upgrade, which i planned to do couple years ago, then the world went into chaos and getting any kind of hardware for reasonable price was impossible.
Things have fortunately improved quite a bit since then and prices have started to get back down to a reasonable level. So i have decided now is as good time as any to upgrade everything so i can actually get around to do some real work which up to this point have been severely limited due to resource and technology constraints
Well, i say that, but i don’t know if it’s just cause it’s nearing christmas and thus everything get sold out or cost a fortune, but the GPU i planned to get was a RTX 3090 which previously, just less than two months ago, was sold for less then $1300 soundly are sold out or are going for $2000+ which is just insane. So i decided i will just have to upgrade everything else after new year and then later get the GPU when it has gone back down to a more reasonable level.
Anyway, Today’s newsletter have lastpass having breach problems again, malwares using leaked android certificates to gain same authority as the Android OS, browsers drops TrustCor root certificate, UK introducing new mandatory cyber incident reporting for MSP’s and updates existing ones, Rackspace exchange services went down and still is, Anker caught lying about their eufy camera’s, intel introduce a pay-as-you-go CPU licensing scheme, VX-Underground Interviews the organiser for URSNIF banking trojan and more.
News of Interests:
LastPass says it was breached — again
Kazu: seems lastpass had a incident again which this time seem to be connected to their parent company GoTo which both published a blog post about the incident but GoTo deciding to go the extra step and actually told google to not index it so you won't find it if you search for it, which i find kinda shitty and reeks of "well, we technically disclosed it even if less people knew about it cause we made it harder to find".
Anyway, regardlessly, Lastpass themselves says that ‘no customer data has been affected’, as it's encrypted and only customers with their password can unlock it and all that stuff. and while this may be true, it's a reminder that anything that is online can and will someday be affected by malicious people or organisations.
And even if customers passwords are safe, they can still be lost if the system they are hosted on goes down or someone maliciously deleted all the databases with customer information even if encrypted, so making sure you have an offline backup of your password manager is important in case something happens to the online one.
Tags: News: Lastpass, Breach, GoTo, InfoSec
Platform certificates used to sign malware
Kazu: it appear android certificates for several vendors including ones from companies such as Samsung, how they got leaked is not known and some seems to be from couple years back, so possible all or some of them a least, are not from recent,
But they are all still valid and would allow an android app signed by these certificates to get the same permission and authority level as the android OS which is a bad bad thing.
The only way to resolve this is to rotate all the keys which depending which certificate is used are either possible and not, expect an OTA update to your phone in near future to try and fix some of this mess.
Luckily, the OTA certificates are not affected so malicious actors can't send out a fake OTA.
Twitter link below with further take on this:
Tags: Android, News, certificates, leaks, InfoSec
Web browsers drop mysterious company with ties to U.S. military contractor
Kazu: Some time back it was reported that it have been discovered that most web browsers trust a wide range of root certificates, which are designed to make sure you are connected to the right site, also had a certificates of shady origin called with one of them, "TrustCor", being connected to connected to US military and communication interception.
It is now reported that most web browsers have now removed the certificate from their browsers after the news came out, which is a good thing, but it does point out that threat is everywhere, both from inside and outside your environment as trusted software and services may hide things that is not found before long time later.
Tags: web browser, infosec, certificates, trustcor, revoking, root certificates, News
UK introducing mandatory cyber incident reporting for managed service providers
Kazu: UK is making change to their Network and Information system regulations both adding mandatory reporting of cyber incidents for MSPs as well as updating the existing one related to things like the power, water and transportation industry which up to this point have not been strict enough so despite multiple incidents, the threshold for reporting was never met which they try change with this new update.
Tags: InfoSec, Regulations, UK, NIS, MSP, Regulatory Change, legal, news
Rackspace: Ongoing Exchange outage caused by security incident
Kazu: Seems Rackspace have been hit with a major outage putting most of their "hosted exchange" services such as IMAP, POP, SMTP, MAPI/RPC, Outlook Web Access, , Activesync out of service since friday with many understandable being very frustrated and annoyed by the lack of communication from them.
While some suspect ransomware, nothing has of yet appeared on the usually ransomware sites and the fact that only some and not all services, even within their "hosted exchange" category suggest either of two things in case of ransomware which is:
Either they managed to stop the ransomware from deploying and have taken the servers offline until they can be certain it's save to bring them up again or only some servers was encrypted before they manage to stop it and are now trying to recover from it.
the first option is more likely than the last one as the encryption don't normally start until they manage to spread everywhere, so in case of the last one, it was either triggered early cause they though they had be discovered or they couldn't manage to spread any future due to security controls so they just decided to detonated it on the system it already had. in which case data was almost guaranteed extracted.
In the case of the first one where they manage to stop it before being deployed and just checking everything first and eventually rolling back the systems, any data may have already been extracted depending on the stage it was it when discovered,
However, it's too early to say anything for sure and for all we know, there may just be a failure internally with something they need to fix, but if that was the case they would likely just state it as such, so it's a good chance it's because of outside reasons.
As of this publication, their status page still lists the services as being down.
Tags: Rackspace, Incident, outage, cloud provider, exchange, infosec, News
Anker’s Eufy lied to us about the security of its security cameras
Kazu: Anker, the company which are known to make high quality and cheap phone chargers and other power related products have branched out into making security and privacy focused Security Cameras.
And due to their strong emphasis on privacy, they have been quite of interest for privacy conscious people. Sadly, it appears they are not as secure as previously stated with security researchers finding multiple issues including sending feed to the cloud and strangers people have to access the feed unauthenticated with the company denying it being possible.
Tags: InfoSec, Privacy, Anker, Eufy, Camera, Vulnerability, Technology
Intel Officially Introduces Pay-As-You-Go Chip Licensing
Kazu: For any people who have been around the internet for long enough you may remember the old joke of suggesting people who need more ram could just go to a website to download more ram, which if you didn't know, are not possible as we have not managed physical transfer of objects yet(or a least silicon based one) over the internet.
However, while you still can not download ram, you seem to now be able to download more CPU as intel have now introduced a new "pay as you go" chip licensing which mean you are literally getting the highest end cpu they have for a cheap price but which are very restricted and then you can pay to unlock more power as you need it.
.....OK, Fair enough, technically, you're not downloading something physical but instead a unlock code(or whatever they decide to implement), but it's still technically downloading more power for your cpu.
Also, i do not know how they plan on restricting the access, but I will give it a couple months and I am sure there will be software out there which will unlock everything so you don't have to pay, there usually is after a while, but we will have to see how it goes I guess.
Tags: Technology, Intel, CPU, Pay as you go, Licensing
Other Interesting Things:
New details on mercenary spyware vendor Variston
Kazu: Google's threat Intel team have been quite busy it seems, as they have now released a report exposing the previously unknown mercenary group, Variston, which are known to sell spyware.
seems like new spyware related news keeps popping up every week in europe. oh well, at least people got something to write about i guess, which i guess is good for something.
Tags:Spyware, CTI, InfoSec, Mercenary, Google, Report, Google TAG
LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling
Kazu: a nice writeup by sophos on the LockBit 3.0 ransomware which share quite a bit of similarities with the BlackMatter Ransomware which should not be that surprising since from what i know, some of the old BM team have joined LB, so that is kinda to be expected. However, the analysis also reveals it has wormable capabilities and tools with the aim to try to make it spread quicker and faster so the time to deployment is shorter.
Tags: InfoSec, RE, Malware, Ransomware, CTI, DFIR, Blackmatter, Lockbit
Apple patent could remotely disable protesters' phone cameras
Kazu: Apparently Apple have submitted a patent that would allow them to remotely disable cameras on the phones which while is fronted in a positive way by apple can have lots of negative consequences as well.
While a patent is not a guarantee that it will happen anytime soon or at all, it gives an idea what directions apple are thinking and if apple start implementing stuff like that, it properly won't be long before other companies such as samsung starts looking into it as well.
Tags: Apple, privacy, patent, camera, remote, technology
Interview the organiser for URSNIF banking trojan
Kazu: vx-underground are yet again out with another interview they did with a threat actor, which this time is someone identified as "LDR4 Operator" and is the organiser for the URSNIF banking trojan. it’ is an interesting read which anyone doing CTI should read or just for people interested in knowing more about what is going on behind the screen on the other side of the law.
Tags: interview, VX-Underground, LDR4, malware, CTI