0:00

Hello and welcome to the Friday April

0:02

Nineteenth, Two thousand twenty Four edition of

0:05

this sad to read: Stomps On Ice

0:07

Storm Cast My name is your Highness

0:09

All Rick and Ram Recording from Washington

0:12

D C. And

0:14

we now have a public proof

0:16

of concept and more details forward

0:18

the the Linear Secret server wanna

0:20

Billie or pie colleague at it

0:23

though we used to be known

0:25

as this particular worn ability allows

0:27

and an authenticated user and to

0:29

gain access to the he be

0:32

high on these devices interesting born

0:34

ability ends of one of those.

0:37

Tricky. Off. Occasion. Bypass.

0:40

Warner Police they often run into

0:42

when developers try to something fancy

0:44

different and don't quite understand all

0:46

the precautions off the all the

0:48

case and schemes the come up

0:50

with. The problem here is that

0:52

a first of all there's a

0:54

user Id that's just encrypted with

0:56

a static key so pretty easy

0:58

to find is that a key

1:00

into coat and then create your

1:02

own encrypted user id. Just

1:05

simply impersonating do you sir are

1:07

with this encrypted user id was

1:09

not possible initially because there was

1:11

also a time stamp that was

1:14

linked to a random you idea

1:16

that there was not predictable but

1:18

turns out if if this you

1:20

ideas just removed and the expiration

1:23

date of the session then well

1:25

that check his skipped and an

1:27

attacker is able to log in

1:29

as any user exploitation of this

1:32

is pretty straight forward based on

1:34

these. This blog post. The blog

1:36

post was published by Johnny We Are

1:38

who did initially also find and report

1:41

the born ability to who at the

1:43

linear. And

1:45

thanks to Tenable, be also know

1:47

have an additional details and a

1:49

proof of concept exploit for the

1:52

event he avalanche he buffer overflow

1:54

Something I mentioned earlier this week

1:56

so. Both. the linear and him

1:58

on t you should patch these

2:00

products before you leave for the

2:02

weekend. Typically

2:05

fishing campaigns don't really get me

2:08

that excited, but Lookout has a

2:10

nice write up about a bit

2:13

more sophisticated fishing campaign in terms

2:15

on how they are impersonating their

2:17

targets. First of all,

2:20

these fishing emails are actually

2:22

SMS messages as they show

2:24

up as are targeting specific

2:26

individuals. Then the link

2:29

the particular SMS message then

2:31

connects to is

2:33

customized to the individual

2:35

to display them a very

2:37

convincing fishing page, in particular

2:40

when you're dealing with mobile

2:42

devices. This, for example,

2:44

involves registering specific domains that

2:46

are really good in impersonating

2:48

the specific target, also including

2:50

things like phone numbers and

2:52

such in the domain in

2:54

order to make the particular

2:57

fishing attack more convinceable. Pretty

2:59

good thing to maybe include in a

3:01

various presentation to show that it's not

3:03

always sort of these very

3:05

obvious and simple fishing attacks that

3:07

your users should be ready for.

3:11

And Hashicorp released an update

3:13

for GoGetter. This

3:15

particular library allows downloading files

3:18

from URLs, including Git URLs.

3:20

And if a Git URL

3:22

was downloaded, which means that

3:24

the URL is being passed

3:26

to Git command line

3:29

arguments weren't escaped properly, and

3:31

that could have then led

3:33

to code execution. And

3:36

Cisco published a blog post about

3:38

what they're calling the awful router

3:41

virus. This

3:43

particular virus is interesting because

3:45

it very specifically targets Ukraine,

3:47

even though some of the

3:49

code in the virus is

3:51

somewhat broken, which reduces the

3:54

effectiveness of this virus somewhat.

3:56

But still, even with not being

3:58

100% effective, virus has

4:00

been hanging around for several years now and

4:02

appears to not be going away, maybe

4:05

in some ways by not being overly

4:07

effective, it turns out to be a

4:09

little bit quieter and with that is

4:12

less likely going to be found in

4:14

networks. This virus includes itself

4:16

as a macro in Word documents.

4:18

Of course, one

4:21

problem here is that macros are

4:23

typically no longer executed by default.

4:26

When it infects a particular system,

4:28

it may then attach itself to

4:30

additional Word documents and upload other

4:32

Word documents to public file repositories

4:35

where an attacker could then download

4:37

them from. More details

4:39

about the virus can be

4:41

found in Cisco's blog. It's

4:43

believed that this particular virus

4:45

focuses on Ukraine because the

4:48

only documents being found infected

4:50

were written in Ukrainian. Not

4:53

all the details are yet

4:55

quite known about this sample.

4:59

Well, that's it for today. Thanks for listening

5:01

and talk to you again on Monday.

5:03

Bye.