Sandwiched in the IT Privacy and Security Weekly Update for May the Fourth 2021


We start with the true story of May the fourth, and end up with a suggestion that might just prevent injury.

In between those lovely layers of freshly baked updates are sandwiched some very tasty servers, Russian Dressing, some NY rye, something else that smacks of dog food, doublestuff and an apple.

After you finish, your mum will be waiting for you.

Now on our best behavior: Let’s order the flowers, pull up our socks, straighten our shirts and make the best impression yet … with the best IT Privacy and Security Update yet!.

UK: May the Forth be… wait. Who started this?

Tuesday May the 4th., marks what has become known as Star Wars Day, a global celebration of George Lucas’ immensely successful sci-fi franchise. The day takes its name from a clever pun originating from one of the franchise’s most famous lines: “May the force be with you”, which was subsequently tweaked to “May the Fourth be with you.”

While the pun has become ubiquitous on May 4th and the day has developed from an informal celebration mostly limited to Star Wars fans into a global event—a sale bonanza for several retailers—its origins remain somewhat unclear.
The credit for the pun should apparently go to the brains at the London Evening News who, on May 4, 1979, congratulated Margaret Thatcher for winning the parliamentary election in the U.K.

“May the Fourth be with you, Maggie. Congratulations,” read the headline welcoming the newly-elected Prime Minister into her new job.

Considering Thatcher won her first election almost exactly two years after Star Wars was released—the movie, then retroactively titled Star Wars: Episode IV - A New Hope hit the screens on May 25, 1977—it is perfectly plausible someone else had come up to the pun before the London Evening News did. However, it is the now-defunct newspaper—it was incorporated into the Evening Standard just a year after its Star Wars-inspired headline—which can claim to have first introduced May the Fourth to the wider public.
The pun’s popularity subsequently took off, despite the fact Lucasfilm, the TV and movie production company founded by Star Wars’ director George Lucas, never officially got involved with the events and parties that were first held when the pun became a worldwide phenomenon.

So what’s the upshot for you? Love her or hate her, you have to give credit where it is due. Who would have guessed that it was newly elected UK prime minister Margaret Thatcher, and not George Lucas that had made this day what it is.

Global: Two million database servers are currently exposed across cloud providers

According to its report, published this week, Censys said it found more than 1.93 million databases on cloud servers that were exposed online without a firewall or other security protections.

The security firm argues that threat actors could discover these databases and attack them using exploits for older vulnerabilities and gain access to their data.

Furthermore, if the database was exposed by accident, the chances were that it is also using a weak or no password at all, exposing its entire contents to anyone who discovered its IP address.

Censys said it scanned for MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle databases and found that almost 60% of all exposed servers were MySQL databases, which accounted for 1.15 million of the total 1.93 million exposed DBs.

So what’s the upshot for you? Apparently so many companies are moving so frequently between different cloud service providers that the little details are being missed. “Same, Same, but different”, certainly applies to cloud configuration, and the real devil is in the detail.

RU: Kaspersky discovered malware developed by the US Central Intelligence Agency.

Due to the shared similarities between these newly discovered samples and past CIA malware, Kasperksy said it is now tracking this new malware cluster as Purple Lambert.

Based on Purple Lambert metadata, the malware samples appear to have been compiled seven years ago, in 2014.

Kaspersky said that while it has not seen any of these samples in the wild, they believe Purple Lambert samples “were likely deployed in 2014 and possibly as late as 2015.”

As for what this malware does, "Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload.

Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert."

So what’s the upshot for you? So the Americans do this sort of thing too? Who would have guessed? And who named them Lambert?

US: NYPD cancels use of robotic dog after backlash

The New York Police Department (NYPD) will no longer be using the controversial “robot dog” following mounting uproar against the machine’s use, officials confirmed Wednesday.

John Miller, NYPD deputy commissioner for intelligence and counterterrorism, told The New York Times that the leasing contract valued at around $94,000 with the robot dog’s maker, Boston Dynamics, had been ended early on April 22.

In February, New York Rep. Alexandria Ocasio-Cortez (D) denounced the use of the robot, saying it was being used to target low-income communities of color. “Please ask yourself: when was the last time you saw next-generation, world class technology for education, healthcare, housing, etc consistently prioritized for underserved communities like this?” Ocasio-Cortez tweeted at the time.

So what’s the upshot for you? This one kind of feels like getting bit in the backside… and we agree with AOC!

Global: DoubleStuff: Doubledrag, Doubledrop, and Doubleback

Organizations in the US, EMEA region, Asia, and Australia have, so far, been targeted in two separate waves.
Phishing messages sent to potential victims from these redoubled campaigns were rarely based on the same email addresses and subject lines were tailored to targets; in many cases, threat actors would masquerade as account executives touting services suitable for different industries – including defense, medicine, transport, the military, and electronics.

The first stage payload downloaded from various URLs consisted of a Zip compressed file containing a corrupt decoy PDF document and a heavily obfuscated JavaScript downloader.
Each of the observed DOUBLEDRAG downloaders attempted to download a second-stage memory-only dropper. The downloaded file is a heavily obfuscated PowerShell script that will launch a backdoor into memory on a Windows machine. If the dropper was executed within an elevated PowerShell process, it creates a scheduled task. At this point the backdoor is running inside the hijacked msiexec.exe and the instance inside the PowerShell process terminates itself.

DOUBLEBACK appears to be an ongoing work in progress and Mandiant anticipates further actions by UNC2529 to compromise victims across all industries worldwide.
“Although Mandiant has no evidence about the objectives of this threat actor, their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups.”

So what’s the upshot for you? This smacks of a nation state doubling up on targeted efforts to compromise specific individuals. The question now is which nation-state is UNC 2529? Stay tuned for more on this story…

Global: What the Dell?

CVE-2021-21551- Hundreds Of Millions Of Dell Computers running Windows are at Risk Due to Multiple BIOS Driver Privilege Escalation Flaws
“These critical vulnerabilities, which have been present in Dell devices since 2009, affect millions of devices and millions of users worldwide. As with a previous bug that lay in hiding for 12 years, it is difficult to overstate the impact this could have on users and enterprises that fail to patch.”

Dell was made aware of the findings on December 1, 2020. Following triage and issues surrounding some fixes for end-of-life products, Dell worked with Microsoft and has now issued a fixed driver for Windows machines.

“We remediated a vulnerability (CVE-2021-21551) in a driver (dbutil_2_3.sys) affecting certain Windows-based Dell computers,” a Dell spokesperson said. “We have seen no evidence this vulnerability has been exploited by malicious actors to date. We appreciate the researchers working directly with us to resolve the issue.”

Proof-of-Concept (PoC) code is being withheld until June to allow users time to patch.

So what’s the upshot for you? Bad news for Dell based Windows users. The good news is that it doesn’t appear to have been widely exploited… yet. If you run Windows on a Dell, keep an eye out for patches from Dell and then get them in place quickly!

Global: New Pingback Malware uses ICMP Tunneling on Windows to Evade C&C Detection

Called ‘Pingback,’ the Windows malware leverages Internet Control Message Protocol (ICMP) tunneling for covert bot communications, allowing the adversary to utilize ICMP packets to piggyback attack code
Pingback takes advantage of an Echo request (ICMP message type 8), with the message sequence numbers 1234, 1235, and 1236 denoting the type of information contained in the packet — 1234 being a command or data, and 1235 and 1236 being the acknowledgment for receipt of data on the other end.
Some of the commands supported by the malware include the capability to run arbitrary shell commands, download and upload files from and to the attacker’s host, and execute malicious commands on the infected machine. An investigation into the malware’s initial intrusion route is ongoing.

So what’s the upshot for you? ICMP tunneling has been around for a while, but this is a creative new use that must be pushing some Windows administrators to the very edge…

Global: And if Last week’s MacOS update had you sweating, there’s another one waiting!

This time, the reason for the latest patches, which apply to macOS, iOS, iPadOS and watchOS, is clear, because four critical bugs have been addressed :
CVE-2021-30665: A memory corruption issue was addressed with improved state management.
CVE-2021-30663: An integer overflow was addressed with improved input validation.
CVE-2021-30661: A use after free issue was addressed with improved memory management.
CVE-2021-30666: A buffer overflow issue was addressed with improved memory handling.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”

There are four related terms that all could be used in this compromise so let’s run through them…

  • Drive-by means that just visiting a website and viewing it is enough to trigger the bug, so you only need to be lured onto a booby-trapped site to take a look.
  • Web-based means that the attack can happen right inside your browser, despite all the sandboxing and other protection that is supposed to keep browsing safe.
  • Zero-day means that there were zero days that you could have patched in advance, because the crooks found and started exploiting the bug first, before a patch was available.
  • And RCE means remote code execution, where the crooks get to run remotely supplied code of their choice, decided at the time you visit the booby-trapped website.
    On iDevices, go to Settings > General > Software Update.
    On a Mac, it’s Apple menu > System Preferences > Software Update.

So what’s the upshot for you? Each of these updates seem to take 30 minutes and a couple of reboots. Perhaps Apple can move to a patch Wednesday schedule so users, if they have any, can plan their social time accordingly.

US: Biden team may partner with private firms to monitor extremist chatter online

The Biden administration is considering using outside firms to track extremist chatter by Americans online, an effort that would expand the government’s ability to gather intelligence but could draw criticism over surveillance of US citizens.

The Department of Homeland Security is limited in how it can monitor citizens online without justification and is banned from activities like assuming false identities to gain access to private messaging apps used by extremist groups such as the Proud Boys or Oath Keepers.

Instead, federal authorities can only browse through unprotected information on social media sites like Twitter and Facebook and other open online platforms.

The plan being discussed inside DHS, according to multiple sources, would, in effect, allow the department to circumvent those limits.

Some of the research firms and non-profit groups under consideration by the DHS periodically use covert identities to access private social media groups like Telegram, and others used by domestic extremist groups. That thrusts DHS into a potential legal gray area even as it plugs an intelligence gap that critics say contributed to the failure to predict the assault on the Capitol.

“We are exploring with our lawyers, civil rights, civil liberties and privacy colleagues, how we can make use of outside expertise,” the DHS official added, referring to the department’s efforts related to encrypted applications.

So what’s the upshot for you? This certainly is a reminder of the Prism program 10 years ago when the NSA, FBI, and CIA gathered and searched through Americans’ international emails, internet calls, and chats without obtaining a warrant. Let’s hope the American Civil Liberties Union dissuade them again.

And finally, the perfect excuse… wait for it.

US: Shipping Containers Are Falling Overboard at a Rapid Rate

Containers piled high on giant vessels carrying everything from car tires to smartphones are toppling over at an alarming rate, sending millions of dollars of cargo sinking to the bottom of the ocean as pressure to speed deliveries raises the risk of safety errors.

The shipping industry is seeing the biggest spike in lost containers in seven years. More than 3,000 boxes dropped into the sea last year, and more than 1,000 have fallen overboard so far in 2021. The accidents are disrupting supply chains for hundreds of U.S. retailers and manufacturers such as Amazon and Tesla.

There are a host of reasons for the sudden rise in accidents.

Weather is getting more unpredictable, while ships are growing bigger, allowing for containers to be stacked higher than ever before. But greatly exacerbating the situation is a surge in e-commerce after consumer demand exploded during the pandemic, increasing the urgency for shipping lines to deliver products as quickly as possible.

In January, the Maersk Essen lost about 750 boxes while sailing from Xiamen, China, to Los Angeles. A month later, 260 containers fell off the Maersk Eindhoven when it lost power in heavy seas.

The need for speed is creating precarious conditions that can quickly bring disaster, according to shipping experts. Almost all the recent incidents have occurred in the Pacific Ocean, a region where the busiest traffic and the worst weather collide. The sea route connecting Asia’s economies to consumers in North America was the most lucrative for shipping companies last year. China’s exports have gone on a tear as the pandemic fuels demand for all the stuff people need to work, learn and entertain from home.

The journey has always been rough, but it’s become more perilous due to changing weather patterns. The rise in traffic from China to the U.S. this past winter coincided with the strongest winds over the Northern Pacific since 1948, increasing the likelihood of rougher seas and bigger waves.

So what’s the upshot for you? If you are in the US you now have a plausible explanation to provide to your mum when she asks why you haven’t remembered her present again this mother’s day (Sunday).

And that’s it for this week. Stay safe, stay secure, keep applying those updates and be good to your mum!

Hi mum!

See you again in Se7en!

1 Like