Risky Business

On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including:

• The msdt/office lolbinapalooza
• Microsoft to introduce sensible defaults to Azure
• Twitter fined $150m for sms 2fa spam
• It turns out npm got owned in that Heroku/Travis CI thing
• AWS cred-stealing supply chain attack was research your honour, I swear!
• Much, much more

We’ll be chatting with Airlock Digital co-founder and CTO Daniel Schell in this week’s sponsor interview. He’ll be walking us through some of his own research into how to own Microsoft boxes via document-embedded office add-ins.

Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

• nao_sec on Twitter: "Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code. https://t.co/hTdAfHOUx3 https://t.co/rVSb02ZTwt" / Twitter
• Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar
• Kevin Beaumont on Twitter: "Additional Follina issue, if you use wget in Powershell, it blindly executes any code via MSDT as it trusts all MS Protocol URIs. So to clarify, if you wget a webpage you don’t control and the webpage adds Follina exploit string, your server the runs the code." / Twitter
• Microsoft Office Remote Code Execution - “Follina” MSDT Attack
• Raising the Baseline Security for all Organizations in the World - Microsoft Tech Community
• npm security update: Attack campaign using stolen OAuth tokens | The GitHub Blog
• Twitter fined $150 million by FTC for alleged privacy violations - The Record by Recorded Future
• REvil prosecutions reach a 'dead end,' Russian media reports
• Multiple flights across India grounded after SpiceJet airline hit with ransomware - The Record by Recorded Future
• Exclusive: Russian hackers are linked to new Brexit leak website, Google says | Reuters
• Российские компании начали увольнять украинских ИT-специалистов — РБК
• Hacker Leaks Mountain of Files From Inside Xinjiang Camps
• Spain set to strengthen oversight of secret services after NSO spying scandal | The Times of Israel
• No evidence of exploitation of Dominion voting machine flaws, CISA finds - The Washington Post
• Researchers identify FIDO2 protocol vulnerabilities - Security - iTnews
• 756.pdf
• Security ‘researcher’ hits back against claims of malicious CTX file uploads | The Daily Swig
• Israeli private detective used Indian hackers in job for Russian oligarchs, court filing says | Reuters
• Hacker Steals Database of Hundreds of Verizon Employees
• GarWarner on Twitter: "Last month the US Department of Justice petitioned the court to be allowed to seize Mr. Woodbery's Bitcoin. 151.885720427 BTC is 11,930,370 Naira or $4,364,299 USD currently. (Thread 1/? ) https://t.co/Xh39FTLQUV" / Twitter
• Malcolm Herbert on Twitter: "@riskybusiness @Metlstorm ... for some reason I never pictured you guys as doing a recording session before sunup, but then I guess with @Metlstorm being in NZ that kinda makes sense now that I think about it ... I'll see myself out ..." / Twitter
• Darknet market Versus shuts down after hacker leaks security flaw
• Omnipotent BMCs from Quanta remain vulnerable to critical Pantsdown threat | Ars Technica
• Red Canary Managed Detection and Response - YouTube
• Airlock Digital Demo - YouTube