al3x@wannaCYbeR(security)~$ echo "Issue \x0F"
Alessandra ?? Perotti
Malware Reverse Engineer + Cyber Threat Intel Analyst @ CVS Health | Threat Researcher | GREM | GCIH | GIAC Advisory Board
Greetings, fellow cyber people, and welcome to the fifteenth issue of wannaCYbeR (security,) a weekly newsletter dedicated to those who are starting their journey in cybersecurity. It’s been a pretty interesting week so far, between unusual ransomware asks and various hacks. On a personal level, I found out that my work was selected to move to Tier 2 of the Cyber Defense Challenge powered by Women in Cybersecurity and Target, and I couldn’t be more excited. Anyway, whether or not you’ll be following the SANS ICS Security Summit today and tomorrow, it’s time to dive into some news.
Ransomware Keys for Good Deeds
Who knew ransomware could be fueled by good motivations? It seems to be the case with GoodWill, a ransomware actor that spreads encryption software asking for good deeds in exchange for the decryption key. In fact, the ransomware note states that the victim needs to perform “three socially driven activities to be able to download the decryption key,” which are detailed and need to be shared with the public on social media, as researchers with CouldSek describe in their intelligence report.
Is this going to open the doors for hacktivists to a new way of achieving specific goals, instead of relying on DDoS and more “traditional” online attacks? Maybe, as it could encompass very specific targets, activities, and rewards, and it could very easily raise money for a multitude of very important social causes.
From a different perspective, would these charities want to be associated with extortion activities? I doubt it, as it would be a political and PR nightmare as well as a way to potentially lose other sources of support and funding – not a wise move, in the long run. Sometimes, the line that separates those who take the “ethical” part in “ethical hacker” to heart from those who don’t can be very fine, but I also believe that people should think about disruptive activities holistically and really understand what can benefit who, as opposed to wearing the ego badge of “but we’re doing it for good.”
Follina, but not the Italian Small Town
Last week, a security researcher named nao_sec identified a new malicious Word document that leverages a zero-day bug in Office and WIndows to execute PowerShell code:
As security researcher Kevin Beaumont explains in his blog post, “The document uses the Word remote template feature to retrieve an HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” Unlike your usual Office exploitation, this doesn’t need macros to be enabled to execute, and, according to research, if the same file is saved in .rtf format, the code can execute even without opening it, via the preview feature.
You Might not Wanna Pick up That Unknown Whatsapp Call
Your Whatsapp account could be stolen if you decide to respond to the wrong phone call, as reported by Rahul Sasi, founder of cybersecurity company CloudSek, in a LinkedIn post.
“First, you receive a call from the attacker who will convince you to make a call to the following number **67*<10 digit number> or *405*<10 digit number>. Within a few minutes, your WhatsApp would be logged out, and the attackers would get complete control of your account,” says Sasi.
Behind the scenes, the attacker made you forward your phone calls to a number they own, while, in the backend, “the attacker triggers the WhatsApp registration process for your number and chooses the option to send OTP via phone call. Since your phone is engaged- the OTP will go to the attacker's phone, and it's game over for you.”
领英推荐
New Vulnerabilities for the Open Automation Software Platform
Research by Jared Rittle at Cisco Talos revealed multiple vulnerabilities in the Open Automation Software (OAS) Platform that could allow threat actors to gain access to a device, execute code, perform DDoS attacks, and more, as reported by Jon Munshaw for Cisco Talos.
“The OAS Platform facilitates the simplified data transfer between various proprietary devices and applications, including software and hardware.”
Meme of the Week: Security Controls
Special of the Week #1: CISA’s Secure Tomorrow Series Toolkit
This week, the Cybersecurity and Infrastructure Security Agency (CISA) released the Secure Tomorrow Series Toolkit, a collection of resources dedicated to people in the critical infrastructure sector to “self-facilitate and conduct strategic foresight activities that will enable them to derive actionable insights about the future, identify emerging risks, and develop risk management strategies that, if taken today, could enhance long-term critical infrastructure security and resilience to implement now.”
People from the public and private sectors, as well as think tanks, gathered to produce this series of resources which includes scenario workshops, threat timelines, matrix games, and cross-impact sessions that will help stakeholders identify, manage, and mitigate cybersecurity risk.
Special of the Week #2: Hacking the Electric Power Grid
For all the industrial cybersecurity fans, ICS/OT security expert Gabriel Agboruche recently shared this fun and informational video on how electric power grids work, HMIs (Human-Machine Interfaces, a.k.a. machines that monitor the health of the plant), IEDs (Intelligent Electrical Devices, which communicate between the local power grid and the electricity provider,) and the focus on availability in environments that often use outdated IT infrastructure and software.
That's all for this week. If you enjoyed the newsletter, please feel free to share it with your connections. Do you know of a great piece of content I should include? Don’t be shy, reach out!
P.S. In case you were wondering, I don't receive any compensation or sponsorship for the content I share. I do it just because I love to nerd out with other people on topics of common interest.